You are on page 1of 133

International Audit Workbook (Interntional Audit Workbook)

Interntional Audit Workbook

International Audit Workbook

Chapter 1 - Introduction and Contents

Purpose of Audit Workbook

Description of Contents

Chapter 2 - Engagement Management

2.1 Team Member Roles

2.2. Client and Engagement Acceptance and Continuance

2.3 Setting the Terms of the Audit

2.4 Audit Documentation

2.5. Review

2.6. Communications with Management and Those Charged with Governance

Chapter 3 - Planning

3.1. Preliminary Engagement Activities

3.2. Kickoff Discussion

3.3. Engagement Scope

3.4. Audit Strategy Decisions

3.5. Risk Assessment Procedures

3.6. Understanding the Entity

3.7. Risk Assessment and Planning Discussion

3.8. Summary of Identified Risks

3.9. Planned Audit Approach

3.10. Changes to Our Audit Strategy or Planned Audit Approach

Chapter 4 - Control Evaluation

4.1. Entity Level Controls

4.2. Accounting Activities at the Assertion Level

4.3. Controls at the Assertion Level

4.4. Test the Operating Effectiveness of Selected Controls


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
4.5. Control Deficiencies
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

4.6. Substantive Approach Page 1 / 133


4.2. Accounting Activities at the Assertion Level

4.3. Controls at the Assertion Level


International Audit Workbook (Interntional Audit Workbook)

4.4. Test the Operating Effectiveness of Selected Controls

4.5. Control Deficiencies

4.6. Substantive Approach

4.7. Financial Reporting

4.8. Risk of Significant Misstatement (RoSM)

Chapter 5 - Substantive Testing

5.1. Risk of Significant Misstatement

5.2. Substantive Procedures

5.3. Nature, Timing, and Extent of Substantive Procedures

5.4. Substantive Analytical Procedures

5.5. Tests of Details

5.6. Computer Assisted Audit Techniques

5.7. Substantive Sampling Techniques

5.8. External Confirmations

Chapter 6 - Completion

6.1. Performing Completion Procedures

6.2. Audit Objectives Associated with Significant Risks

6.3. Significant Findings and Issues

6.4. Results of Audit Procedures

6.5. Independence and Ethical Issues

Chapter 7 - Specific Topics

Chapter 8 - Engagements to Review Interim Financial Information of an Audit Client

8.1 Obtain an Understanding of the Entity and Its Environment, Including Its Internal Control

8.2 Inquiries, Analytical Procedures, and Other Review Procedures

8.3 Evaluate the Results of Our Review

8.4 Other Considerations

8.5 Obtain Management Representation Letters

8.6 Other Information That Accompanies the Interim Financial Information

8.7 Communication with Management and Those Charged with Governance


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
8.8 Reporting
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Chapter 9 - Group Audits Page 2 / 133


8.5 Obtain Management Representation Letters

8.6 Other Information That Accompanies the Workbook


International Audit Interim Financial
(InterntionalInformation
Audit Workbook)

8.7 Communication with Management and Those Charged with Governance

8.8 Reporting

Chapter 9 - Group Audits

Appendix A - Audit Workbook Supplement 2009

Introduction and Contents


Interntional Audit Workbook

Chapter 1 - Introduction and Contents


This Workbook is intended to serve only as a partial summary of various tools and workflows associated with the
performance of a KPMG audit. The KPMG Audit Manual (KAM) International continues to be the primary source of KPMG
policy and guidance related to the performance of a KPMG audit. KAM International is available on Accounting Research
Online (ARO) and may also be available on your desktop. Guidance on using KAM International can be accessed by selecting
the "KAM Help File" from the KAM International Welcome Screen.
This Workbook is intended to provide further discussion relating to the interpretation of KAM International. The way in which
KAM International is applied to the circumstances of the particular audit is a matter of judgment for the engagement partner
and the engagement team.
Guidance regarding integrated audits performed in accordance with the Public Company Accounting Oversight Board
(PCAOB) Auditing Standard No. 5, "An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of
Financial Statements," is not included in KAM International or in the Audit Workbook. For guidance regarding engagements
performed pursuant to this standard, refer to the KPMG Integrated Audit Manual and the Integrated Audit working papers
available on ARO.
This Workbook is for internal use only and is not to be distributed outside of KPMG.

Purpose of Audit Workbook


The Audit Workbook is designed to provide you with assistance in the use of various tools developed to perform a KPMG
audit.
The Workbook is not intended to be a comprehensive summary of the KPMG Audit Methodology. Accordingly, engagement
teams are expected to continue to refer to KAM International with respect to the substance of KPMG policies, bold type
paragraphs, and guidance related to the performance of a KPMG audit.
The KPMG Audit Methodology is designed to comply with International Standards on Auditing (ISAs). ISAs are available via
ARO and can be accessed by selecting "Professional Standards" from the KAM International Welcome Screen. Audit
professionals refer to additional internal and external sources of guidance and/or consultation (including consultation with
other members of the engagement team), as appropriate.
In addition to the Audit Workbook, engagement teams are encouraged to use the Audit Toolkit. The Audit Toolkit is a list of
information organized by audit workflow (FSA, IA, SE, and VSE), which engagement teams will find useful when performing
an audit.
For the Less Complex Entity (LCE) workflow, the following additional materials are available in the LCE home page
(accessible from the Global Audit home page or from the Vector home page):

• LCE Overview - brief presentation of LCE and of the new features available

• LCE Tips - a short list of tips to bring a new user quickly up to speed

• Virtual LCE - a comprehensive presentation of LCE, but using a screenshot-based and intuitive
format

• LCE User Guide - the detailed guide to all the functionality available in the tool
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• Audit of Trex - a practical example of an audit engagement in LCE, using the new features
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
available in the tool
Page 3 / 133
• LCE Tips - a short list of tips to bring a new user quickly up to speed

• Virtual LCE - a comprehensive presentation ofWorkbook


International Audit LCE, but(Interntional
using a screenshot-based
Audit Workbook) and intuitive
format

• LCE User Guide - the detailed guide to all the functionality available in the tool

• Audit of Trex - a practical example of an audit engagement in LCE, using the new features
available in the tool

Description of Contents
The contents of this Workbook are based on the April 2008 version of KAM International, the related Global Workpapers
(GWPs), and KAM Alert 2008/04 (i.e., revisions related to materiality).
The Audit Workbook addresses the audit workflows, specific topics (fraud, laws and regulations, subsequent events, etc.),
engagement management topics, and GWPs. To the extent possible, the Audit Workbook also includes flow charts, decision
trees, and graphics related to the audit methodology.
The content of the Workbook is presented in a variety of styles, as follows:

Content that is displayed in this style of box and that is not part of a table signifies a definition.

A term that is highlighted in blue signifies that this term is defined within the Audit Workbook. A listing of these terms and
the page number where the definition can be found is included in the Index.
All examples are presented in italics.

Content which is displayed with an exclamation sign signifies that engagement teams generally

! should be alert to this topic area (e.g., revenue recognition).

Content which is displayed with a checkmark indicates that additional assistance is available in
the form of Practice Aids or Attachments to the GWPs.

Content which is displayed with a light bulb indicates tips (i.e., additional information that the
engagement team may consider).

Content which is displayed in this style of box with light yellow shading signifies that the content is applicable to SE
or VSE engagements. This content is not included in KAM International and generally represents tips or additional
information that engagement teams working on such engagements may consider.
Interntional Audit Workbook

Chapter 2 - Engagement Management


This section addresses:

• the roles of team members and other people or functions that may be involved in an audit
engagement

• client and engagement acceptance and continuance

• setting the terms of the audit

• working papers and how we manage them, and


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• reporting on our findings, including required communications.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

2.1 Team Member Roles Page 4 / 133


engagement

• client and engagement acceptance and continuance

• setting the terms of the audit International Audit Workbook (Interntional Audit Workbook)

• working papers and how we manage them, and

• reporting on our findings, including required communications.

2.1 Team Member Roles


Engagement teams may include the following members:

• engagement partner

• engagement manager

• other professional staff

• KPMG specialists (including IRM, tax, forensic specialists, etc.)

• external experts (contracted by the KPMG member firm)


Others that may be involved in an audit engagement include:

• engagement quality control reviewer

• U.S. GAAP/GAAS and IFRS assignments

• reviewing partners

• external experts (employed or contracted by the entity)

• other KPMG locations, and

• other independent auditors.


For guidance regarding other KPMG locations and other independent auditors, refer to the KAM Alert expected to be
released in 2008.
Additionally, the engagement team considers the effects of the work performed by internal audit or the use of a service
organization by the entity when planning and performing the audit.

2.1.1 Engagement Partner


The engagement partner is responsible for the conduct of the engagement in accordance with the engagement letter or
instructions and applicable laws, regulations, and professional standards. [2068.0.1]
The engagement partner is responsible for the overall performance and the technical quality of the audit, including:
[2068.1]

• directing the audit in accordance with KPMG policies and bold type paragraphs

• determining materiality for planning purposes at the financial statement level and subsequent
revisions, if applicable

• reviewing and approving significant deliverables prior to releasing them outside of KPMG

• the quality of deliverables, ensuring that deliverables are consistent with the deliverables
specified in the engagement letter or any variation to it

• conducting a review to determine that the work performed during the audit supports the
engagement deliverables, and

• forming the audit opinion.


The engagement partner should:

• take responsibility for the overall quality on each audit engagement to which that partner is
assigned [2068.3.3]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• be satisfied that appropriate procedures regarding the acceptance and continuance of client
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
relationships and specific audit engagements have been followed, and that conclusions reached
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
in this regard are appropriate and have been documented [2068.3.4]
Page 5 / 133
• be satisfied that the engagement team collectively has the appropriate capabilities, competence,
• forming the audit opinion.
The engagement partner should:
International Audit Workbook (Interntional Audit Workbook)
• take responsibility for the overall quality on each audit engagement to which that partner is
assigned [2068.3.3]

• be satisfied that appropriate procedures regarding the acceptance and continuance of client
relationships and specific audit engagements have been followed, and that conclusions reached
in this regard are appropriate and have been documented [2068.3.4]

• be satisfied that the engagement team collectively has the appropriate capabilities, competence,
and time to perform the audit engagement in accordance with professional standards and
regulatory and legal requirements, and to enable an auditor's report that is appropriate in the
circumstances to be issued [2068.3.5]

• consider whether members of the engagement team have complied with ethical requirements
[2068.3.6]

• take responsibility for the direction, supervision, and performance of the audit engagement in
compliance with professional standards and regulatory and legal requirements, and for the
auditor's report that is issued to be appropriate in the circumstances [2068.3.7]

• be responsible for the engagement team undertaking appropriate consultation on difficult or


contentious matters [2068.3.8]

• be satisfied that members of the engagement team have undertaken appropriate consultation
during the course of the engagement, both within the engagement team and between the
engagement team and others at the appropriate level within or outside the firm [2068.3.8]

• be satisfied that the nature and scope of, and conclusions resulting from, such consultations are
documented and agreed with the party consulted [2068.3.8], and

• determine that conclusions resulting from consultations have been implemented. [2068.3.8]
For audits of financial statements of listed entities and for other audit engagements where an engagement quality control
review is performed in accordance with the firm's policies, the engagement partner should: [2068.3.9]

• determine that an engagement quality control reviewer has been appointed

• discuss significant matters arising during the audit engagement, including those identified during
the engagement quality control review, with the engagement quality control reviewer, and

• not issue the audit report until the engagement quality control review is completed.

Where more than one KPMG firm is providing services to a client, the lead partner from the

! originating KPMG firm is responsible for the overall client relationship. RMM-G 24.1.2

2.1.2 Engagement Manager


The following activities are examples of engagement manager responsibilities: [2071.1]

• assist the engagement partner in the development of the expected scope and conduct of the
audit

• review and approve the planned activities prior to the start of significant fieldwork

• schedule professional staff and maintain liaison with the entity on the timing of the engagement

• monitor the progress of the engagement against expectations (progress and completion dates
and budget) and keep the engagement partner informed of significant variances

• resolve issues with the engagement team members as they arise and discuss them with the
engagement partner, as appropriate
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• supervise and direct the professional staff on the engagement
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• prepare and/or supervise the preparation of reports to management
Page 6 / 133
• review engagement working papers.
• monitor the progress of the engagement against expectations (progress and completion dates
and budget) and keep the engagement partner informed of significant variances
International Audit Workbook (Interntional Audit Workbook)
• resolve issues with the engagement team members as they arise and discuss them with the
engagement partner, as appropriate

• supervise and direct the professional staff on the engagement

• prepare and/or supervise the preparation of reports to management

• review engagement working papers.

2.1.3 Other Professional Staff


The following activities are examples of other professional staff responsibilities: [2072.1]

• understand and perform the tasks assigned to them

• prepare certain working papers and make them available for review by the appropriate member
of the engagement team, and

• inform the engagement partner and/or manager about issues or problems as they arise.

2.1.4 KPMG Specialists


If expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit evidence, we
determine whether to use the work of a KPMG specialist.
A KPMG specialist is a person possessing special knowledge, skills, and experience in a particular field, other than auditing
and accounting. [2073.2]
The engagement partner and manager: [2073.7]

• determine the need for participation of KPMG specialists in the audit

• define the roles and responsibilities of the KPMG specialists

• confirm satisfaction of procedures performed by the KPMG specialists

• confirm that documentation of such procedures has been prepared in accordance with applicable
KPMG policies and other requirements, and

• discuss any issues arising from the specialist's work with the KPMG specialist and appropriately
consider the results of the specialist's work in the audit.
When determining if the use of a KPMG specialist is appropriate, we consider: [2074.2]

• applicable policies for involvement of KPMG specialists, including IRM specialists and tax
specialists

• our assessment of the risk of material misstatement due to fraud for the engagement

• the risk of significant misstatement related to the audit objective being examined

• whether the matter relates to an audit objective associated with a significant risk

• the nature and complexity of the information, data, or calculations to be audited

• whether the client has developed the information, data, or calculations internally as opposed to
engaging the services of an independent third party; and whether the engagement team
possesses sufficient experience to review the information, data, or calculations provided by the
client, and

• any other audit evidence available.


KPMG specialists may include the following:

KPMG specialist Criteria for involvement


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
IRM specialist The audit engagement partner, in consultation with the IRM specialist's, makes an
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
assessment of the nature, timing, and extent of the IRM specialist's involvement in
each phase of the audit for audit engagements of clients that meet at least one of the Page 7 / 133
following criteria: [2075.4.1]
• any other audit evidence available.
KPMG specialists may include the following:
International Audit Workbook (Interntional Audit Workbook)

KPMG specialist Criteria for involvement

IRM specialist The audit engagement partner, in consultation with the IRM specialist's, makes an
assessment of the nature, timing, and extent of the IRM specialist's involvement in
each phase of the audit for audit engagements of clients that meet at least one of the
following criteria: [2075.4.1]

• the entity is listed

• the entity is a financial institution

• the audit engagement is greater than 1,000 hours (calculated at


the entity level for single entities or at the consolidation level
including multilocation involvement, if any), or

• Information Technology is critical to the operation of its


business.
When it is decided not to involve IRM specialists on clients that meet any of the above
criteria, this decision is approved and signed by the IRM specialist, and the rationale
is documented in the Planning Document. [2075.4.2]

Tax specialist The engagement partner discusses with a tax specialist the likely tax risks and
whether his or her involvement is necessary to support the audit. In some countries,
the engagement partner or manager may also be designated as a tax specialist, in
which case the involvement of another tax specialist would be unnecessary.
[2075.4.7]

Valuation specialist The factors to consider in deciding whether to include a KPMG valuation specialist as
part of the engagement team include: [2075.4.11]

• the materiality of the estimate

• the nature and complexity of the estimate and the risk of


significant misstatement for the related audit objective

• whether the client has developed the estimate internally as


opposed to engaging the services of an independent third party,
and

• whether the audit engagement team possesses sufficient skills


to review fair value measurements provided by the client.
Additional guidance regarding certain accounts subject to valuation is available in the
Other Topics chapter.

Forensics specialist The engagement partner, risk management partner, and engagement quality control
reviewer may consult with a forensic specialist when addressing difficult matters and
risk management considerations including: [2075.6]

• client/engagement acceptance and continuance procedures

• evaluation of possible fraud risks

• evaluation of the entity's controls to prevent, deter, or detect


fraud

• design of our audit response to identified fraud risks, and

• evaluation of the results of our audit response to identified fraud


risks.
The nature and extent of forensic specialist involvement will vary based on the
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
engagement partner's judgment, the circumstances of the engagement, and the risks
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
to be addressed in the audit. [2075.7]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 8 / 133
Other KPMG specialists There may be a number of other KPMG specialists available. Engagement teams are
• design of our audit response to identified fraud risks, and

• evaluation of the results of our audit response to identified fraud


International Audit Workbook (Interntional Audit Workbook)
risks.
The nature and extent of forensic specialist involvement will vary based on the
engagement partner's judgment, the circumstances of the engagement, and the risks
to be addressed in the audit. [2075.7]

Other KPMG specialists There may be a number of other KPMG specialists available. Engagement teams are
encouraged to review the practice pages available via KWorld to identify the
specialists available in their area.

The engagement team may use the Practice Aid - IT Criticality Checklist available on ARO to help
determine whether IT is critical to the business. [2075.4.1.3]

A forensic specialist may also assist the engagement team in performing fraud related controls
evaluation and testing and substantive procedures.

U.S. GAAP/GAAS and IFRS Assignments


Engagement teams reporting on financial statements or financial information in accordance with U.S. Generally Accepted
Accounting Principles /U.S. Generally Accepted Auditing Standards (U.S. GAAP/GAAS assignments) or IFRS assignments
refer to the policies and guidance in KAM International as follows:

KAM International Guidance


reference

[2075.8] U.S. GAAS assignments

[2075.30] IFRS assignments

Reviewing Partners
Reviewing partners may include the following individuals:

Partner Criteria for involvement

Engagement quality control An engagement quality control review is required for: [2076.1.7]
reviewer
• audits of general purpose financial statements of a listed entity

• audit of general purpose financial statements of a nonlisted


entity of significant public interest

• higher-risk engagements (as designated by the local risk


management partner).

IFRS reviewing partner An IFRS reviewing partner reviews the required documents when the financial
statements with which we are associated are prepared in accordance with IFRSs and
the entity is a listed entity, an entity of significant public interest, or the engagement
is a higher-risk engagement. [2076.3]

Filing review partner A filing review partner performs a filing review with respect to U.S.-SEC registration
statements on Forms S-1, S-3, S-4, S-8, F-1, F-2, F-3, F-4, or 20-F; annual reports
on Forms 20-F, 40-F, or 10-K; and any other U.S.-SEC filings that include or
incorporate by reference an auditor's report issued by a non-U.S. KPMG member firm
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
on the financial statements of a U.S.-SEC registrant. Filing reviews of Rule 144A
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
exempt offering documents, for securities that include registration rights, are also
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
performed, because of the expectation of a subsequent U.S.-SEC filing. [2078.1]
Page 9 / 133
A filing review partner also performs a filing review with respect to other U.S.-SEC
is a higher-risk engagement. [2076.3]

Filing review partner A filing review partner


International performs
Audit Workbooka(Interntional
filing reviewAuditwith respect to U.S.-SEC registration
Workbook)
statements on Forms S-1, S-3, S-4, S-8, F-1, F-2, F-3, F-4, or 20-F; annual reports
on Forms 20-F, 40-F, or 10-K; and any other U.S.-SEC filings that include or
incorporate by reference an auditor's report issued by a non-U.S. KPMG member firm
on the financial statements of a U.S.-SEC registrant. Filing reviews of Rule 144A
exempt offering documents, for securities that include registration rights, are also
performed, because of the expectation of a subsequent U.S.-SEC filing. [2078.1]
A filing review partner also performs a filing review with respect to other U.S.-SEC
filings that contain, or incorporate by reference, an auditor's report issued by a non-
U.S. KPMG member firm on financial statements other than those of the SEC
registrant (e.g., financial statements presented pursuant to Rule 3-05 and Rule 3-09
of Regulation S-X). [2078.2]

Designated review partner A designated partner ("designated review partner") reviews the required documents
(for reports filed with when the financial statements with which we are associated, or our report, are
certain foreign regulatory included in a document that is to be filed with certain foreign regulatory authorities,
authorities) or in a document offering securities in the United States that are exempt from
registration requirements of the U.S. Securities Act of 1933 based on Rule 144A.
[2077.1]

2.1.5 Use of a Service Organization by the Entity


When an entity uses a service organization, transactions that affect the entity's financial statements are subjected to policies
and procedures that are, at least in some part, physically and operationally separate from the entity. [2113.3]
We consider how the entity's use of a service organization affects the entity's internal control so as to identify and assess
the risk of material misstatement and to design and perform further audit procedures. [2113.1]

A client may use a service organization such as one that executes transactions and maintains related
accountability or records transactions and processes related data (e.g., a computer information systems service
organization). [9237]

Our approach to considering the effect of the entity's use of a service entity and our documentation of such consists of the
following:

Applicability Procedure

Where the entity uses a When obtaining our understanding, we determine the significance of service
service organization organization activities to the entity and the relevance to the audit. [2115]
We consider the following:

• the nature of the services provided by the service organization


and significance of those services to the user entity, including
the user entity's internal control

• the nature and materiality of the transactions processed or


accounts affected by the service organization and the degree of
interaction between the activities of the service organization and
those of the user entity, and

• the nature of the relationship between the user entity and the
service organization, including the contractual terms for the
relevant activities undertaken by the service organization.
The understanding obtained may lead us to decide that the assessment of the risk of
significant misstatement (RoSM = inherent risk of error + control risk) will not be
affected by controls at the service organization. If this is the case, further
consideration is unnecessary. [2123.2]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
When we determine that If we conclude that the activities of the service organization are significant to the
the activities of the service entity and relevant to the audit, we obtain a sufficient understanding of the service Page 10 / 133
organization are significant organization, including its internal control, to identify and assess the risks of material
service organization, including the contractual terms for the
relevant activities undertaken by the service organization.
The understanding
Internationalobtained may lead
Audit Workbook us to Audit
(Interntional decide that the assessment of the risk of
Workbook)
significant misstatement (RoSM = inherent risk of error + control risk) will not be
affected by controls at the service organization. If this is the case, further
consideration is unnecessary. [2123.2]

When we determine that If we conclude that the activities of the service organization are significant to the
the activities of the service entity and relevant to the audit, we obtain a sufficient understanding of the service
organization are significant organization, including its internal control, to identify and assess the risks of material
to the entity and relevant to misstatement and design further audit procedures in response to the assessed risks.
the audit [2116]
To obtain this understanding we may:

• read the third-party report of the service organization auditor

• perform the appropriate procedures ourselves, or

• request the service organization to have its auditor perform the


appropriate risk assessment procedures.
We may use either a Type A or Type B report to obtain an understanding of the
internal control. [2137.1]

When we take a controls We obtain audit evidence about the operating effectiveness of controls when our risk
approach assessment includes an expectation of the operating effectiveness of the service
organization's controls or when substantive procedures alone do not provide
sufficient appropriate audit evidence at the assertion level. We may also conclude
that it would be efficient to obtain audit evidence from tests of controls. [2132.1]
Audit evidence about the operating effectiveness of controls may be obtained by:
[2133]

• obtaining a Type B service organization auditor's report

• performing tests of the entity's controls over the activities of the


service organization, and
For example, we may test the entity's independent reperformance of
selected items processed by the service organization or test the entity's
reconciliation of output reports to source documents.

• visiting the service organization and performing tests of the


service organization's controls ourselves.
If we plan to use Type B reports, we consider whether: [2139.2]

• the controls tested are relevant to the entity's classes of


transactions, account balances derived from estimates, other
account balances and disclosures, and related assertions and
our audit objectives

• the tests of control performed by the service organization


auditor are adequate, and

• the results of the tests of control performed by the service


organization auditor are adequate for our audit purposes.

Service organization auditor's reports will usually be in one of the following formats: [2137.1]

! •

Type A: report on the design and implementation of internal control, or
Type B: report on the design, implementation, and operating effectiveness
of internal control.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
We use Type A reports to obtain an understanding of the internal control. [2139.1]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
We use Type B reports to obtain audit evidence about the operating effectiveness of controls.
[2139.1.1] Page 11 / 133
Service organization auditor's reports will usually be in one of the following formats: [2137.1]

! •

Type A: report on the design and implementation of internal control, or
International Audit Workbook (Interntional Audit Workbook)
Type B: report on the design, implementation, and operating effectiveness
of internal control.
We use Type A reports to obtain an understanding of the internal control. [2139.1]
We use Type B reports to obtain audit evidence about the operating effectiveness of controls.
[2139.1.1]

2.1.6 External Experts


An external expert is a person or firm, not employed by KPMG, possessing special skills, knowledge, and experience in a
particular field other than auditing and accounting. An external expert may be contracted by KPMG directly, contracted by
management of the entity under audit, or employed by that entity. [2142], [2142.1]
External experts may include property appraisers, environmental engineers, lawyers, etc.
The engagement partner and manager are responsible for determining whether an external expert is involved in the audit.
To determine the need to use the work of an external expert, we consider: [2155]

• our knowledge and previous experience of the matter being considered

• the risk of material misstatement based on the nature, complexity, and materiality of the matter
being considered

• the significance of the audit objective, transactions, and related account balance being examined
in relation to the financial statements as a whole

• whether the matter relates to an audit objective associated with a significant risk

• the quantity and quality of other audit evidence obtained related to the audit objective,
transactions, and related account balance being examined, and

• the complexity or subjectivity of the audit objective.

It is important to document and agree upon the work to be performed by external experts and

! their reporting requirements.

If we have determined that there is a need and plan to use the work of an external expert in an audit engagement, we:

Applicability Procedure/Considerations

Evaluate the professional Consider whether the external expert:


competence of the expert
• has professional certification or licensing by, or membership in,
an appropriate professional body, and

• has experience and reputation in the field for which we are


seeking audit evidence.

Evaluate the objectivity of The risk that an external expert's objectivity will be impaired increases when the
the expert external expert is:

• employed by the entity, or

• related in some manner to the entity.

Obtain sufficient Review the instructions from the entity to the external expert or discussion with the
appropriate audit evidence external expert, regarding matters such as:
that the scope of the
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
expert's work is adequate • the objectives and scope of the external expert's work
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
for purposes of the audit, • the specific matters that we expect the external expert's report
and to cover Page 12 / 133
• employed by the entity, or

• related in some manner to the entity.


International Audit Workbook (Interntional Audit Workbook)
Obtain sufficient Review the instructions from the entity to the external expert or discussion with the
appropriate audit evidence external expert, regarding matters such as:
that the scope of the
expert's work is adequate • the objectives and scope of the external expert's work
for purposes of the audit, • the specific matters that we expect the external expert's report
and to cover

• the intended use of the external expert's work

• the extent of the external expert's access to the appropriate


records and files

• clarification of the external expert's relationship with the entity

• confidentiality of the entity's information, and

• information regarding the assumption and methods intended to


be used by the external expert and their consistency with those
used in prior periods.

Evaluate the Consider:


appropriateness of the
expert's work as audit • the source data used by the external expert
evidence regarding the • the assumptions and methods used and their consistency with
assertion being considered the prior period, and

• the results of the external expert's work, in light of our overall


knowledge of the business obtained in performing the audit.
The external expert is responsible for the reasonableness and appropriateness of the
assumptions and methods used, together with their application. [2171]
KPMG specialists may assist the engagement team to evaluate the work of an
external expert.
If the results of the expert's work do not provide sufficient appropriate audit evidence
or if the results are not consistent with other audit evidence, we should resolve the
matter by: [2174]/[2175]

• discussing the external expert's results with management and


the external expert

• performing additional audit procedures, and/or

• considering engaging or asking management to engage another


external expert.

We document our evaluation of the professional competence and objectivity of the expert and the adequacy of the expert's
work for the purpose of the audit in the Evaluation of External Experts working paper. [2175.3]

2.1.7 Internal Audit


With respect to the internal audit function, the level of work that we perform depends on the particular circumstances of the
audit, as follows:

Applicability Procedure/Consideration

Where the entity has an To the extent that the internal audit function operates as part of management's
internal audit function control system, we obtain a sufficient understanding of internal audit activities to
identify and assess the risks of material misstatement of the financial statements and
to design and perform further audit procedures.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
As part of our understanding, we consider the organizational status of the internal
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
audit function and the scope of their responsibilities.
Page 13 / 133
We document our understanding of internal audit activities in the Entity Level Controls
Where the entity has an To the extent that the internal audit function operates as part of management's
internal audit function control system, we obtain
International a sufficient
Audit Workbook understanding
(Interntional of internal audit activities to
Audit Workbook)
identify and assess the risks of material misstatement of the financial statements and
to design and perform further audit procedures.
As part of our understanding, we consider the organizational status of the internal
audit function and the scope of their responsibilities.
We document our understanding of internal audit activities in the Entity Level Controls
Program.

When we intend to use the Make an assessment of the internal audit function by obtaining information about
work of the internal audit matters such as:
function, including direct
assistance provided by the • the nature and extent of their assignments
internal audit function • whether management acts on their reports and
recommendations and how this is evidenced

• the technical competence of the internal audit function

• the due professional care, especially whether their work is


adequately planned, supervised, and reviewed, and

• the objectivity of internal auditing.


When we conclude that internal audit activities are not relevant to our work or that it
would not be effective to consider their work further, we need not give further
consideration to internal auditing.

When we use the specific Evaluate whether:


work of the internal audit
function • the work is performed by those with adequate technical training
and proficiency

• the work of internal auditing is properly supervised, reviewed,


and documented

• sufficient appropriate audit evidence is obtained to be able to


draw a reasonable conclusion

• conclusions are appropriate in the circumstances and reports


are consistent with the results of the work performed, and

• any exceptions or unusual matters disclosed by internal auditing


are properly resolved by management.
In evaluating the work of the internal audit function, we may observe the procedures
performed by internal audit, inquire of the internal audit function about the nature of
its work, reperform some of the work performed by the internal audit function,
perform different audit procedures, or examine internal audit working papers.

When we request direct Inform internal audit of their responsibilities, the objectives of the procedures they
assistance from the are to perform, and matters that may affect the nature, timing, and extent of audit
internal audit function procedures. We also supervise their work and review the working papers that the
internal audit function prepares on our behalf. We consider whether the work was
adequately performed and evaluate whether the results are consistent with the
conclusions in our audit report.

2.2. Client and Engagement Acceptance and Continuance


Client and engagement acceptance and continuance policies, other requirements, and guidance are set out in the Risk
Management Manual - Global in chapters 20 and 21, briefly discussed in KAM International, and are defined more
specifically by each KPMG member firm in compliance with the Risk Management Manual - Global.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
2.3 Setting the Terms of the Audit
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 14 / 133
KPMG and the client should agree on the terms of the engagement, which are set out in an engagement letter.
2.2. Client and Engagement Acceptance and Continuance
Client and engagement acceptance and continuance policies,
International Audit other
Workbook requirements,
(Interntional and guidance are set out in the Risk
Audit Workbook)
Management Manual - Global in chapters 20 and 21, briefly discussed in KAM International, and are defined more
specifically by each KPMG member firm in compliance with the Risk Management Manual - Global.

2.3 Setting the Terms of the Audit


KPMG and the client should agree on the terms of the engagement, which are set out in an engagement letter.
Policies and guidance on engagement letters are set out in KAM International and in chapter 21 of the Risk Management
Manual - Global.

2.4 Audit Documentation


This section addresses:

• definition of audit documentation

• criteria for selecting the appropriate audit workflow

• documenting the nature, timing, and extent of the audit procedures performed

• documenting significant findings or issues arising during the audit and the conclusions reached
thereon

• audit file assembly

• working paper retention

2.4.1 Definition of Audit Documentation

Audit documentation is the record of audit procedures performed (including Planning), relevant audit evidence
obtained, and conclusions reached.
In the KPMG audit, terms such as "Global Work Papers," "working papers," or "work papers" are used when
referring to audit documentation.

Audit documentation may include e-mail where correspondence is related to "significant


matters."

Working papers or audit documentation may be recorded on paper or on electronic or other media. [2553]
Examples of working papers include, among other things, standard KPMG working paper templates, copies of client
prepared documents or schedules, transcripts, analyses, letters of confirmation and representation, notes and other
memoranda (including computer files), internal KPMG memos and external correspondence with the client and relevant third
parties (including e-mail) concerning significant matters, and final deliverables prepared and accumulated in connection with
an audit.
Our working papers may also include abstracts or copies of the entity's records if considered appropriate. [2553]
For example, we include significant and specific contracts and agreements as part of the working papers if considered
appropriate.
Audit documentation ordinarily excludes the following:

• superseded drafts of working papers and financial statements

• notes that reflect incomplete or preliminary thinking

• previous copies of documents corrected for typographical or other errors

• duplicates.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
Draft working papers or other documents are discarded when the working paper or other document is finalized (except
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
when the local firm's document retention policy provides otherwise), or when a decision is made not to proceed. [2564.0.1]
We do not retain documentation that is incorrect or superseded (except pursuant to the local firm's document retentionPage 15 / 133
• superseded drafts of working papers and financial statements

• notes that reflect incomplete or preliminary thinking

• Internationalfor
previous copies of documents corrected Audit Workbook (Interntional
typographical or otherAudit Workbook)
errors

• duplicates.
Draft working papers or other documents are discarded when the working paper or other document is finalized (except
when the local firm's document retention policy provides otherwise), or when a decision is made not to proceed. [2564.0.1]
We do not retain documentation that is incorrect or superseded (except pursuant to the local firm's document retention
policy). [2565.8]

Work papers stand on their own.

! Although oral explanations may be used to explain or clarify information contained in the working
papers, they do not represent adequate support for the work we performed or conclusions
reached. [2565.1]

We should prepare the audit documentation so as to enable an experienced auditor, having no previous connection with the
audit, to understand: [2561]

• the nature, timing, and extent of the audit procedures performed to comply with ISAs and
applicable legal and regulatory requirements

• the results of the audit procedures and the audit evidence obtained, and

• significant matters arising during the audit and the conclusions reached thereon.
Audit documentation is prepared on a timely basis and provides a sufficient and appropriate record of the basis for our
report.

2.4.2 Criteria for Selecting the Appropriate Audit Workflow


We complete different sets of working papers depending upon which audit workflow is used for the engagement, as
follows:

Workflow Applicability

FSA The FSA Global Work Papers (GWPs) may be used for audits that do not issue an
auditor report that refers to the Public Company Accounting Oversight Board (PCAOB)
standards and in the judgment of the engagement partner application of the Small
Entity (SE), Very Small Entity (VSE), or Less Complex Entity (LCE) audit workflow is
not suitable.

SE, VSE, LCE The determination of whether to use the SE or VSE, GWPs or the LCE workflow is
based on the judgment of the engagement partner that, in addition to meeting the
qualitative and quantitative criteria set forth in KAM International, the GWPs/workflow
are appropriate (1) to address engagement risk and "audit risk" (i.e., the interaction
of inherent risk, control risk, and detection risk) and (2) to comply with the KPMG
Audit Methodology and with local auditing standards and requirements.

SE It may not be appropriate for the following entities to utilize the SE GWPs:

• entities with a high degree of outside ownership in the entity


from a nonmanagement/owner perspective

• public/listed entities and their subsidiaries

• entities where other significant stakeholders rely on the financial


statements as their primary basis for obtaining reliable financial
information on the entity

• entities subject to industry-wide regulations (e.g., financial


institutions)
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• entities that have an essential public service responsibility due to
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
the nature of their operations, and
Page 16 / 133
• higher-risk engagements.
• entities where other significant stakeholders rely on the financial
statements as their primary basis for obtaining reliable financial
International Audit
information Workbook
on the entity(Interntional Audit Workbook)

• entities subject to industry-wide regulations (e.g., financial


institutions)

• entities that have an essential public service responsibility due to


the nature of their operations, and

• higher-risk engagements.
Additionally, engagement hours are not expected to exceed 1,000 hours.

VSE In order to utilize the VSE GWPs, the engagement meets all of the qualitative and
quantitative criteria set forth below:

• the planned hours directly related to completing the audit


engagement and issuance of the auditor's report do not exceed
500[[1]] hours

• if the global Client/Engagement Acceptance/Continuance (CEAC)


process is used, the client/engagement is considered a "low"
risk client/engagement or, "medium" risk1 with the approval of
the risk management partner

• if another CEAC process is used, the client/engagement is


classified in the lowest risk category

• the entity is not a listed entity whose debt or equity securities


are traded in a public market, and the financial statements of
the entity will not be included in the regulatory filings of such a
listed entity

• the entity has limited sources of revenue

• the entity has a limited number of owners, management, and


users of the financial statements

• the entity's principal operations, which may include functions,


branches, or subsidiaries, are in a single country or jurisdiction,
and

• a substantive approach will be taken for substantially all


significant accounts and disclosures.
Additionally, VSE GWPs may be used for audits of wholly owned subsidiaries
(regardless of the number of planned audit hours) where all of the following criteria
are met:

• all of the criteria for use of the VSE GWPs included above are
met

• KPMG is the auditor of the consolidated group accounts

• the entity is a wholly owned subsidiary of the group, and

• the audit is being performed for local statutory purposes only-


there is no requirement for any group reporting in order to issue
the auditor's report on the consolidated entity.
Additional guidance regarding the use of VSE Global Work Papers is included in the
VSE Audit Guidance Document accompanying the VSE Global Work Papers. The VSE
Global Work Papers and the related VSE Audit Guidance Document can be accessed
from ARO.

Other workflows that may Engagement teams that are required to complete the Supplemental U.S. Procedures
be applicable Checklist may be required to complete either the Integrated Audit working papers or
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
the FSA Public working papers as noted in that Checklist. [2571.1.2]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Integrated Audit working The Integrated Audit working papers are used when we perform an audit in Page 17 / 133
papers accordance PCAOB Auditing Standard No. 5, "An Audit of Internal Control Over
VSE Audit Guidance Document accompanying the VSE Global Work Papers. The VSE
Global Work Papers and the related VSE Audit Guidance Document can be accessed
from ARO. International Audit Workbook (Interntional Audit Workbook)

Other workflows that may Engagement teams that are required to complete the Supplemental U.S. Procedures
be applicable Checklist may be required to complete either the Integrated Audit working papers or
the FSA Public working papers as noted in that Checklist. [2571.1.2]

Integrated Audit working The Integrated Audit working papers are used when we perform an audit in
papers accordance PCAOB Auditing Standard No. 5, "An Audit of Internal Control Over
Financial Reporting That Is Integrated with an Audit of Financial Statements."
The Integrated Audit working papers that incorporate the provisions of AS 5 are
available on ARO and can be dragged and dropped into specific areas of the Vector
audit file. Additional guidance on using Vector with the Integrated Audit workflow can
be found on the Vector Web site.

FSA Public working papers The FSA Public working papers are used for financial statement audits of a public
company when an integrated audit is not performed and we issue an auditor's report
on the financial statements that refer to PCAOB standards. Engagement teams
performing audits of financial statements of foreign private issuers, when an
integrated audit is not performed, are not required to, but may use the FSA Public
set of working papers. The FSA Public working papers are available on ARO.
Additional guidance on using Vector with the FSA Public workflow can be found on
the Vector Web site

* GWPs or workflow can be used by a participating location in a multilocation audit (including subsidiaries of public/listed
entities), if the location meets the criteria for utilizing the GWPs/workflow, unless the originating location specifies in the
inter-office instructions that an alternative audit workflow is to be used, for example FSA.

An integrated audit is an audit of internal control over financial reporting (ICOFR) performed in conjunction with
an audit of the financial statements in accordance with PCAOB Auditing Standard No. 5, "An Audit of Internal
Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements." Guidance regarding
integrated audits performed in accordance with the PCAOB Auditing Standard No. 5 is not included in KAM
International or in the Audit Workbook. For guidance regarding engagements performed pursuant to this
standard, refer to the Integrated Audit Manual and the Integrated Audit working papers available on ARO under
the United States country page

Criteria for use of LCE working papers

The LCE workflow may be used for audit engagements which meet all of the following criteria: [2574.0.3]

• not a U.S. SEC registrant or a "substantial role" assignment of a U.S. SEC registrant, and

• when the entity is part of a group audit, the group auditor has not specified the use of an
alternative work flow.
In addition, the engagement partner considers the following qualitative criteria:

Qualitative criteria

Less complex application of risk • KAM requires the performance of risk assessment
assessment procedures procedures in order to identify those audit risks at a
financial statement and assertion level. In a less
complex entity, the extent of risk assessment
procedures required is reduced as risks at a financial
statement and assertion level are easier to identify
than in a more complex entity. The implication of less
extensive risk identification procedure is reduced
documentation.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• We often obtain much of our understanding of the
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
business from a few process owners rather than a
number of process owners and operational staff. Page 18 / 133
procedures required is reduced as risks at a financial
statement and assertion level are easier to identify
than Audit
International in a more complex
Workbook entity.
(Interntional AuditThe implication of less
Workbook)
extensive risk identification procedure is reduced
documentation.

• We often obtain much of our understanding of the


business from a few process owners rather than a
number of process owners and operational staff.

Concentration of management • The performance of senior and other managerial


functions functions is concentrated in a small number of
individuals.

Limited sources of income • The operations of the entity are relatively less
complex and there are only a few core business
processes within which the entity is involved.

• The operations of the entity are restricted to a


limited number of locations and each of these
locations is not of a specialized nature.

• The entity provides a limited number of products or


services

Less sophisticated record keeping • The entity usually has less formal objectives and
strategies. This is complemented with a less formal
budgeting and financial reporting process.

• Less sophisticated accounting systems, which are not


supported by a complex IT environment.

Unsophisticated entity level • Less complex entities generally have fewer


controls employees involved in the accountancy systems and
as a result have limited segregation of duties.

• The owner and/or senior management is actively


involved in daily operations of the organization.

There is no maximum audit hour criterion. [2574.0.3.0.1]

Audit teams using LCE to perform an audit on a non-complex listed entity complete the

! “Additional procedures when auditing a listed entity using LCE” document. [2574.0.3.1]


Refer to the Less Complex Entities User Guide on the LCE Homepage for additional guidance and
information when performing an audit using the LCE workflow. The LCE Homepage is available
by selecting Audit Technology from the Global Audit Portal.

Refer to KAM for policies and guidance regarding the receipt of a Preservation Notice where the
engagement has been performed using LCE.

The following table indicates the working papers to be prepared for each audit workflow: [2566.1]

Global Work Papers Audit Workflow

FSA SE VSE
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
Audit Checklist Co
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Sp

Page 19 / 133
Audit Program Sp Sp Sp
The following table indicates the working papers to be prepared for each audit workflow: [2566.1]

Global WorkInternational
Papers Audit Workbook (Interntional Audit Workbook) Audit Workflow

FSA SE VSE

Audit Checklist Co Sp

Audit Program Sp Sp Sp

Audit Program for Specific Topics Sp Sp N/R

Completion Document Sp Sp N/R

Entity Level Controls Program SP N/R N/R

Evaluation of Design and Implementation and Test of Operating Co


Effectiveness Template (if applicable)

Evaluation of External Experts (if applicable) Co

Evaluation of Internal Audit Function (if applicable) Co

Evaluation of Service Organization Function (if applicable) Co

Financial Reporting Audit Program Co N/R

IDEA® CAATs Document (if applicable) Co

Instructions for Inventory Count Attendance (if applicable) Co

IT General Controls Program (if applicable) Sp N/R N/R

KPMG Monetary Unit Sampling Document (if applicable) Co

KPMG Sampling Plan (if applicable) Co

Planning Document Sp SP N/R

Substantive Analytical Procedures Template (if applicable) Co

Summary of Audit Differences and related Summary of Audit Differences Co


Template

Test of Details Document (if applicable) Co

Planning and Completion Document N/A N/A Sp

Interim Review Checklist (if applicable) Co N/R

Interim Review Program (if applicable) Co N/R

Summary of Review Differences and related Summary of Review Co N/R


Differences Template (if applicable)

Co Common version of Global Work Paper is used for these workflows.


Sp Global Work Paper specific to the audit workflow is used.
N/R Global Work Paper is not required for this workflow.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Completion of the applicable KPMG audit documentation, which includes Global Work Papers and electronic work flows, is
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
required for all audit engagements. [2569]
Page 20 / 133
Co Common version of Global Work Paper is used for these workflows.
International
Sp Global Work Paper specific to the audit workflow Audit Workbook (Interntional Audit Workbook)
is used.
N/R Global Work Paper is not required for this workflow.
Completion of the applicable KPMG audit documentation, which includes Global Work Papers and electronic work flows, is
required for all audit engagements. [2569]

The documentation for an SE and VSE engagement must comply with all policies and guidance
contained in KAM International that are applicable to the engagement. However, the extent of
documentation is scaled to the size and complexity of the particular engagement.

2.4.3 Documenting the Nature, Timing, and Extent of the Audit Procedures Performed
In documenting the nature, timing, and extent of audit procedures performed, we should record: [2565.9.3]

Preparer and reviewer The preparer(s) and reviewer(s) of each working paper signs or initials and dates
each working paper. [2565.9.4]
A preparer's and/or reviewer's printed name and date on a working paper also may
constitute evidence of signature. [2565.9.6]

Multipage working papers


The preparer may indicate evidence of preparation of the working paper on the first
page only, where it has been prepared by one person. [2565.9.6.1]
A reviewer may indicate evidence of review on the first page of a multiple page
working paper and, if the reviewer has not reviewed the entire document, the
sections reviewed. [2565.9.7.1]

Final version
For Global Work Papers that are prepared throughout the audit, we document
evidence of review on the final version. [2565.9.8]

The date audit work was We record the date the working paper was completed on each working paper.
completed, and the date [2565.9.5]
and extent of review
Working paper dating by preparers and reviewers follows a convention that includes
the day, month, and year. [2565.9.4]
Where documents are faxed or e-mailed to a reviewer and the review is evidenced
on a returned faxed document or in a reply e-mail, the reviewer initials and includes
the date of review on the original working papers by the audit file assembly date.
[2565.9.10]

Identifying characteristics Identifying characteristics of the specific items or matters being tested will vary with
of the specific items or the nature of the audit procedure and the item or matter being tested. [2565.4]
matters being tested
For example, for:

• a test of purchase orders; we may record the dates and unique


purchase order numbers of the documents selected for testing

• selection or review of all items over a specific amount from a


given population; we may record the scope of the procedure
and identify the population (for example, all journal entries over
a specified amount from the journal register)

• systematic sampling from a population of documents; we may


record the source, the starting point, and the sampling interval
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
of the documents selected (for example, a systematic sample of
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
shipping reports selected from the shipping log for the period
from 1 April to 30 September, starting with report number
Page 21 / 133
12345 and selecting every 125th report)
• selection or review of all items over a specific amount from a
given population; we may record the scope of the procedure
and identify the population (for example, all journal entries over
aInternational
specified Audit Workbook
amount from(Interntional
the journal Audit Workbook)
register)

• systematic sampling from a population of documents; we may


record the source, the starting point, and the sampling interval
of the documents selected (for example, a systematic sample of
shipping reports selected from the shipping log for the period
from 1 April to 30 September, starting with report number
12345 and selecting every 125th report)

• inquiries; we may record the dates of the inquiries and the


names and job designations of the entity personnel

• observations; we may record the process or subject matter


being observed, the relevant individuals, their respective
responsibilities, and where and when the observation was
carried out.

When using the Monetary Unit Sampling (MUS) routine in IDEA®, the MUS planning, extraction,

! and evaluation report contains sufficient detail to be able to reproduce the sample from the
sample file.

2.4.4 Documenting Significant Findings or Issues Arising During the Audit and the
Conclusions Reached Thereon

Discussions of significant When we discuss significant findings or issues with management and others (i.e.,
findings or issues those charged with governance, other personnel within the entity, and external
parties, such as persons providing professional advice to the entity), we document on
a timely basis the discussions in our working papers. We provide appropriate
references to the working papers where the discussions are documented, in the
Completion Document. [2565.6]
The documentation includes: [6313.7]

• the significant findings or issues discussed

• when and with whom the discussions took place.


We may include other appropriate records such as agreed minutes of discussions
prepared by the entity's personnel. [6313.8]
Significant findings and issues are those documented in the Completion Document.

Contradicting or We document the information that contradicts or is inconsistent with our final
inconsistent information conclusions regarding a significant finding or issue together with our response in the
Completion Document. [2565.7.1]
For example, our working papers may include procedures performed in response to
the information, documentation of consultations on, or resolution of, differences in
professional judgment among members of the engagement team or between the
engagement team and others consulted.

Departures from bold type In exceptional circumstances, we may judge it necessary to depart from a bold type
paragraphs paragraph that is relevant in the circumstances of the audit, in order to achieve more
effectively the objective of the engagement. [1005]/[1007.1]
We document how the alternative audit procedures performed were sufficient and
appropriate to replace that bold type paragraph and achieve the objective of the
audit, and, unless otherwise clear, the reasons for the departure, in the Completion
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Document. In these exceptional circumstances, provided the departure is
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
appropriately documented, we are not precluded from representing compliance with
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
ISAs. [1007.1]
Page 22 / 133
Documentation is not required where the bold type paragraph is not relevant in the
Departures from bold type In exceptional circumstances, we may judge it necessary to depart from a bold type
paragraphs paragraph that is relevant in the circumstances of the audit, in order to achieve more
effectively the objective of the engagement. [1005]/[1007.1]
International Audit Workbook (Interntional Audit Workbook)
We document how the alternative audit procedures performed were sufficient and
appropriate to replace that bold type paragraph and achieve the objective of the
audit, and, unless otherwise clear, the reasons for the departure, in the Completion
Document. In these exceptional circumstances, provided the departure is
appropriately documented, we are not precluded from representing compliance with
ISAs. [1007.1]
Documentation is not required where the bold type paragraph is not relevant in the
circumstances of the audit or an ISA includes conditional requirements and the
specified conditions do not exist. [1007.2]

We consult with the risk management partner when we judge it necessary to depart from a bold

! type paragraph that is relevant in the circumstances of the audit. [1007.1]

2.4.5 Audit File Assembly

When undertaking an audit under ISAs, the audit file assembly date is the date by which an engagement team
assembles a complete and final set of working papers for retention. The date is ordinarily not more than 60
calendar days from the date of the auditor's report. [9031.1]
The date of the auditor's report is the date selected by us to date our report on the financial statements. Our
report is not dated earlier than the date on which we have obtained sufficient appropriate audit evidence on which
to base the opinion on the financial statements. [9067.2]

Where we issue two or more different reports in respect of the same subject matter information of an entity (e.g., we issue
an auditor's report on a component's financial information for group consolidation purposes and, at a subsequent date, an
auditor's report on the same financial information for statutory purposes), the time limits for the assembly of final
engagement files address each report as if it were for a separate engagement. In such an instance, we assemble the audit
file necessary to support the report on a component's financial information for group consolidation purposes based on the
date of the group auditor's report on the consolidated financial statements. We complete the assembly of the audit file
necessary to support our statutory audit report based on the date of our statutory audit report. [2621.7] [2621.7.1]
Where both reports are supported by the same working papers, one of the two audit files may contain cross references to
the audit working papers in the other audit file, provided each audit working paper is dated so that it is clear from the
working paper when the audit evidence was documented and reviewed. [2621.7.2]
The auditor's report date and the audit file assembly date are documented in the Audit Checklist.
The process of assembling the final audit file and modifying working papers are illustrated below. [2620.1]

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 23 / 133
International Audit Workbook (Interntional Audit Workbook)

Changes that are administrative in nature (refer to the green box above) may be made to the audit documentation during
the final assembly process. [2621.9]
For example, changes that are administrative in nature include:

• deleting or discarding superseded documentation

• sorting, collating, and cross-referencing working papers

• signing off on checklists relating to the file assembly process

• documenting audit evidence that we have obtained, discussed, and agreed with the relevant
members of the audit team before the date of the report.
Modifications to audit working papers for exceptional circumstances that arose after the date of the auditor's report (refer to
the grey box above) and that required us to perform new or additional procedures or that led us to reach new conclusions
and those made after the audit file assembly date (refer to the blue box above), are documented in the Audit Checklist,
Appendix I, Audit Working Paper Modification Template.
Subject to relevant laws, regulations, professional standards, and KPMG policies, modifications to audit working papers after
the audit file assembly date may include: [2620]

• comments added to clarify existing working papers

• preparation of additional working papers to more fully document work performed during the
engagement

• deletion of extraneous comments or review notes included in the working papers

• deletion of a working paper that has been superseded or no longer serves a useful purpose,
and/or modifications of comments included in the working papers.

The engagement partner notifies the engagement quality control reviewer, when the

! engagement requires an engagement quality control review, of changes related to audit


objectives associated with a significant risk when exceptional circumstances arise after the date
of our report that require us to perform new or additional audit procedures or that lead us to
reach new conclusions, and substantive modifications are made to working papers. [2623]

2.4.5S Consideration of omitted documentation and other procedures identified after


the date of auditor's report
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
The engagement team does not have a responsibility to carry out a retrospective review of its work after the date of the
auditor's report. However the auditor's report and working papers relating to a particular engagement may be subjected Pageto
24 / 133
review after the date of the auditor's report in connection with the firm's quality performance program or inspection carried
! objectives associated with a significant risk when exceptional circumstances arise after the date
of our report that require us to perform new or additional audit procedures or that lead us to
reach new conclusions, and substantive modifications are made to working papers. [2623]
International Audit Workbook (Interntional Audit Workbook)

2.4.5S Consideration of omitted documentation and other procedures identified after


the date of auditor's report
The engagement team does not have a responsibility to carry out a retrospective review of its work after the date of the
auditor's report. However the auditor's report and working papers relating to a particular engagement may be subjected to
review after the date of the auditor's report in connection with the firm's quality performance program or inspection carried
out by a regulatory authority. [2625.12]
Accordingly, after the date of the auditor's report, even though there may be no indication that the financial statements are
materially misstated, it may be determined that one or more procedures considered necessary at the time of the audit of
the financial statements in the circumstances then existing were omitted from the audit. [2625.13]

The appropriate course of action may depend on the requirements of local laws or regulations.

! [2625.16]

The engagement partner consults with the local risk management partner to determine an appropriate course of action
when an auditing procedure considered necessary at the time of the audit of the financial statements in the circumstances
has been omitted, which may include consultation with legal counsel. [2625.17]
If we determine and demonstrate that sufficient procedures were performed, sufficient evidence was obtained, and
appropriate conclusions were reached, but that the documentation thereof is not adequate, we consider what additional
documentation is needed. For further guidance on adding such documentation, see sections titled "After the date of the
auditor's report" and "After the audit file assembly date" in the Engagement Management chapter of KAM. [2625.14]
If we cannot determine or demonstrate that sufficient procedures were performed, sufficient evidence was obtained, or
appropriate conclusions were reached, we apply the following guidance to assess the significance of the omitted procedure,
at the time it is identified, to the present ability to support the previously expressed opinion on the financial statements:
[2625.15]

Circumstance Course of Action

The previously issued audit opinion on the financial The engagement team promptly undertakes to
statements cannot be supported without performing perform the omitted procedure or alternative
the omitted procedure and that there are persons procedures that would provide a satisfactory basis for
currently relying, or likely to rely, on the previously the opinion. [2625.20]
issued auditor’s report. [2625.20]

As a result of the subsequent performance of the We:


omitted procedure or alternative procedures, we
become aware that facts regarding the financial • consult with the risk management
statements existed at the date of our report that partner
would affect the report had we been aware of them. • consult with legal counsel
[2625.21]
• follow the guidance in the section
titled, "Subsequent events" in the
Control Evaluation chapter of KAM.
[2625.21]

If we determine that the omitted procedure needs to We consult with OGC to determine an appropriate
be performed but we are unable to perform the course of action concerning our responsibilities to the
procedure or alternative procedures. [2625.22] client, regulatory authorities, if any, having jurisdiction
over the client, and persons relying, or likely to rely,
on our report. [2625.22]

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
2.4.6 Working Paper Retention
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

After the assembly of the final audit file has been completed, we should not delete or discard audit documentation before
Page 25 / 133
the end of its retention period. [2625.7]
be performed but we are unable to perform the course of action concerning our responsibilities to the
procedure or alternative procedures. [2625.22] client, regulatory authorities, if any, having jurisdiction
over the
International Audit Workbook client, and
(Interntional persons
Audit relying, or likely to rely,
Workbook)
on our report. [2625.22]

2.4.6 Working Paper Retention


After the assembly of the final audit file has been completed, we should not delete or discard audit documentation before
the end of its retention period. [2625.7]
KPMG member firms' and functions' retention policies are a matter of judgment in light of local laws and regulations, as well
as business needs. Consistent with International Standards on Quality Control (ISQC) 1, the retention period for audit
engagement documentation is ordinarily no shorter than five years from the date of the auditor's report, or, if later, the date
of the group auditor's report. [2695]
Additional policies and guidance regarding retention and destruction of working papers are included in sections 25.6 and
25.8 of the Risk Management Manual - Global. [2707]
For local requirements, please refer to the local Risk Management Manual.

In cases where several KPMG locations are involved, the originating location may request that

! participating locations follow the retention requirements of the originating location, when those
exceed the requirements of the participating location.

2.5. Review
All working papers are reviewed by another engagement team member more experienced than the preparer. [2575]
Working papers prepared by the engagement partner are reviewed by another partner assigned to the engagement, and/or
the engagement manager, and/or the engagement quality control reviewer, as appropriate in the engagement
circumstances. [2575.1]
The purpose of reviewing audit working papers is to reach an affirmative conclusion that the working papers support
KPMG's opinion on the financial statements and show that the audit complies with KPMG policies, professional standards,
and regulatory and legal requirements. [2582]
The engagement partner and an engagement manager review audit documentation relating to the following:

• audit objectives associated with significant risks (significant inherent risk of error or fraud)

• audit objectives with RoSM assessed as high, and

• significant findings and issues.


Such audit documentation includes those related to critical areas of judgment, especially those related to difficult or
contentious matters identified during the course of the engagement and other areas the engagement partner considers
important. The extent of review of such audit documentation by the engagement partner and manager is a matter of
professional judgment determined by the engagement partner. [2576]
The engagement partner and manager are responsible for satisfying themselves that the audit documentation meets KPMG
standards and the requirements of applicable laws, regulations, and professional standards. [2576.1]
In addition, the engagement partner and manager review and sign the Planning Document, the Entity Level Controls
Program, the Completion Document, the Summary of Audit Differences, and the Audit Checklist. [2580]
The reviewer considers whether: [2583]

• the audit work has been performed in accordance with KPMG policies, professional standards,
and regulatory and legal requirements

• significant matters have been raised for further consideration

• appropriate consultations have taken place and the resulting conclusions have been documented
and implemented, and
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• there is no need to revise the nature, timing, and extent of work performed.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

The reviewer also considers a variety of other matters, including whether: [2584] Page 26 / 133
• the audit work has been performed in accordance with KPMG policies, professional standards,
and regulatory and legal requirements

• International
significant matters have been raised Audit Workbook
for further (Interntional Audit Workbook)
consideration

• appropriate consultations have taken place and the resulting conclusions have been documented
and implemented, and

• there is no need to revise the nature, timing, and extent of work performed.
The reviewer also considers a variety of other matters, including whether: [2584]

• the engagement team has obtained an appropriate understanding of the business

• the objectives of the audit procedures are achieved and conclusions expressed are consistent
with the results of the audit work performed and support the audit opinion on the financial
statements

• the working papers are relevant to the audit, adequately document the audit evidence obtained,
and are internally consistent

• issues were properly identified during the audit, brought to the attention of the engagement
partner, and resolved or reported to management, as appropriate
Points raised during the review of working papers are cleared and, where appropriate, the working papers are revised.
Except pursuant to the applicable local firm's retention policies, review notes are not retained after the date of our report.
[2589]

2.5.1 Restricting Access to Working Papers


All working papers, reports, and other documents are confidential and the property of KPMG. They are to be protected from
loss, unauthorized destruction, or unauthorized access. [2640]
The engagement partner and risk management partner are responsible for granting requests from third parties for access
to our working papers, including client management. Specific legal advice is requested before the release of any document
where a claim or circumstance is known to have arisen. [2648.1]
Chapter 25 of the Risk Management Manual - Global provides policies and guidance on working paper storage, security,
access, and confidentiality. Chapter 40 of the Risk Management Manual - Global contains IT policy and guidance as they
relate to electronic working paper storage, security, access, and confidentiality. [2639.1]

2.6. Communications with Management and Those Charged with Governance


We should communicate audit matters of governance interest arising from the audit of financial statements to those
charged with governance of an entity. [2841]

Audit matters of governance interest are those matters that arise from the audit of financial statements and, in
the opinion of the auditor, are both important and relevant to those charged with governance in overseeing the
financial reporting and disclosure process. Audit matters of governance interest include only those matters that
have come to the attention of the auditor as a result of the performance of the audit. [9032]

We may seek to establish with those charged with governance, a mutual understanding of the form, timing, and expected
general content of communications. [2845.1]
To avoid misunderstandings, we make management and those charged with governance aware that we will communicate
only those matters of governance interest that come to our attention as a result of the performance of our audit and that we
are not required to design audit procedures for the specific purpose of identifying matters of governance interest. [2843]
We ensure throughout the audit that our communications with management and those charged with governance are
consistent with the scope outlined in our engagement letter with the client and are in compliance with KPMG policies,
methodologies, and procedures; professional standards; and applicable local laws and regulations. [2844]
Before communicating with those charged with governance, we usually discuss the matters with management, except
where those matters relate to questions of management competence or integrity, to clarify facts and issues and to give
management an opportunity to provide further information. [2903]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Our communications with those charged with governance may be made orally or in writing. The decision whether to
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
communicate orally or in writing is affected by factors such as the following: [2911]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

• the size, operating structure, legal structure, and communications processes of the entity being Page 27 / 133
audited
consistent with the scope outlined in our engagement letter with the client and are in compliance with KPMG policies,
methodologies, and procedures; professional standards; and applicable local laws and regulations. [2844]
Before communicating with those charged with governance,
International we (Interntional
Audit Workbook usually discuss the matters with management, except
Audit Workbook)
where those matters relate to questions of management competence or integrity, to clarify facts and issues and to give
management an opportunity to provide further information. [2903]
Our communications with those charged with governance may be made orally or in writing. The decision whether to
communicate orally or in writing is affected by factors such as the following: [2911]

• the size, operating structure, legal structure, and communications processes of the entity being
audited

• the nature, sensitivity, and significance of the audit matters of governance interest to be
communicated

• the arrangements made with respect to periodic meetings or reporting of audit matters of
governance interest

• the amount of ongoing contact and dialogue the auditor has with those charged with governance,
and

• statutory and regulatory requirements.


When audit matters of governance interest are communicated orally, we document in the working papers the matters
communicated and any responses to those matters. This documentation may take the form of a copy of the minutes of our
discussion with those charged with governance. In certain circumstances, depending on the nature, sensitivity, and
significance of the matter, it may be advisable to confirm in writing with those charged with governance any oral
communications on audit matters of governance interest. [2912]
We communicate material weaknesses to management in writing. [2913.2]

2.6.1 Required Communications

Reporting requirements Guidance

Audit matters of We communicate audit matters of governance interest with those charged with
governance interest governance. [2847]
Audit matters of governance interest include the following: [2847.1]

• the general approach and overall scope of the audit, including


any expected limitations thereon, or any additional requirements

• the selection of, or changes in, significant accounting policies


and practices that have or could have a material effect on the
entity's financial statements

• the potential effect on the financial statements of any material


risks and exposures, such as pending litigation, that are
required to be disclosed in the financial statements

• significant matters with respect of fair value measurements and


disclosures

• material uncertainties related to events and conditions that may


cast significant doubt on the entity's ability to continue as a
going concern

• disagreements with management about matters that,


individually or in aggregate, could be significant to the entity's
financial statements or the auditor's report

• expected modifications to our report, and

• any other matters agreed upon in the engagement letter.


We should communicate audit matters of governance interest on a timely basis.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Identified fraud or evidence Required communications for all entities include:
that fraud may exist Page 28 / 133
• identified fraud or information that indicates that a fraud may
financial statements or the auditor's report

• expected modifications to our report, and


International Audit Workbook (Interntional Audit Workbook)
• any other matters agreed upon in the engagement letter.
We should communicate audit matters of governance interest on a timely basis.

Identified fraud or evidence Required communications for all entities include:


that fraud may exist
• identified fraud or information that indicates that a fraud may
exist [2854]

• identified fraud involving management, employees who have


significant roles in internal control, or others where the fraud
results in a material misstatement in the financial statements
[2861.1]

• suspected fraud involving management, in which case we


communicate our suspicions and the nature, timing, and extent
of audit procedures to complete the audit, and [2855]

• material weaknesses in the design or implementation of internal


control to prevent and detect fraud which may have come to our
attention.
Additional matters to be considered for communication with those charged with
governance include, for example:

• failure by management to appropriately respond to an identified


fraud

• actions by management that may be indicative of fraudulent


financial reporting

• concerns about the adequacy and completeness of the


authorization of transactions that appear to be outside the
normal course of business

• failure by management to appropriately address identified


material weaknesses internal control

• concerns about the nature, extent, and frequency of


management's assessment of the controls in place to prevent,
deter, and detect fraud and the risk that the financial statements
may be misstated, and

• our evaluation of the entity's control environment, including any


questions regarding the competence and integrity of
management.
When we determine that there is audit evidence that fraud exists or may exist (as
outlined above), we communicate the matter as soon as practicable to the
appropriate level of management. [2862]
When we discover a suspected or possible fraud, we promptly bring the matter to
the attention of the engagement partner. [2866.2]

Noncompliance with laws When we discover a suspected or possible instance of noncompliance with laws or
and regulations regulations, including a possible illegal act, we promptly bring the matter to the
attention of the engagement partner who then reports the matter to the risk
management partner and follows local consultation and reporting protocols. [2869.1]
If we believe there may be noncompliance, we should document the findings and
discuss them with management. [2868]
We should, as soon as practicable, either communicate with those charged with
governance or obtain audit evidence that they are appropriately informed regarding
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
noncompliance that comes to our attention. [2869]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
If we suspect that members of senior management, including members of the board
of directors, are involved in noncompliance, we should report the matter to the next Page 29 / 133
higher level of authority at the entity, if it exists, such as an audit committee or a
If we believe there may be noncompliance, we should document the findings and
discuss them with management. [2868]
International Audit Workbook (Interntional Audit Workbook)
We should, as soon as practicable, either communicate with those charged with
governance or obtain audit evidence that they are appropriately informed regarding
noncompliance that comes to our attention. [2869]
If we suspect that members of senior management, including members of the board
of directors, are involved in noncompliance, we should report the matter to the next
higher level of authority at the entity, if it exists, such as an audit committee or a
supervisory board. [2874]
If in our judgment the noncompliance is believed to be intentional and material, we
should communicate the finding without delay. [2873]

Material weaknesses and We should make those charged with governance or management aware as soon as
other deficiencies in practical and at the appropriate level of responsibility, of material weaknesses in the
internal control design or implementation of internal control that have come to our attention. [2878]
When in our judgment there is a material weakness in the entity's risk assessment
process, we include such internal control weakness in our communication. [2879.1]
We also include identified risks of material misstatement which the entity has either
not controlled, or for which the relevant control is inadequate.
We also consider communicating deficiencies that had a significant effect on our
audit approach, but are not considered to be material weaknesses. If we
communicate additional deficiencies to management, we also consider
communicating such deficiencies to those charged with governance. [2885.0.1]
We communicate material weaknesses to those charged with governance and
management in writing. [2879]

Role of the engagement We communicate the identity and role of the engagement partner to key members of
partner client management and those charged with governance. [2887]

Misstatements We communicate misstatements, whether or not they are recorded by the entity, that
have, or could have, a significant effect on the entity's financial statements, to the
relevant persons who are charged with governance. This communication includes the
misstatements in Schedules 1, 2, and 3 of the Summary of Audit Differences.
[2895.1]
If we have identified a significant misstatement resulting from error, we should
communicate the misstatement to the appropriate level of management on a timely
basis, and consider the need to report it to those charged with governance. [2895.7]

For an SE or VSE engagement, our responsibility (as set forth above) to communicate weaknesses in internal
control applies equally to an audit relating to owner-managed and smaller entities, even when:

•  we believe the owner-manager may already be informed about such matters

•  we are not sure if weaknesses in internal control, particularly those related to limited
segregation of duties, can be addressed in a cost-beneficial manner.
It is only by communicating identified weaknesses that we can be certain that management and those charged
with governance have been informed of the problem.

Footnotes
[1]
Planned hours should not exceed 200 hours if the client/engagement is considered "medium" risk based on the global CEAC process. Risk
management partner approval is obtained for engagements intending to use the VSE workflow where the client/engagement is considered
"medium" risk based on the global CEAC process.
[back]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Interntional Audit Workbook
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Chapter 3 - Planning Page 30 / 133


[1]
Planned hours should not exceed 200 hours if the client/engagement is considered "medium" risk based on the global CEAC process. Risk
management partner approval is obtained for International
engagements intending
Audit to use
Workbook the VSE Audit
(Interntional workflow where the client/engagement is considered
Workbook)
"medium" risk based on the global CEAC process.
[back]
Interntional Audit Workbook

Chapter 3 - Planning
The objectives of Planning are to: [3002]

• obtain an understanding of the entity's business and its industry and environment, its accounting
policies and practices, and its financial performance

• understand and evaluate the design and the implementation of entity level controls relevant to
the audit

• assess risks of material misstatement of the financial statements, including risks of error and
fraud

• develop our audit strategy in response to those risks

• determine significant accounts and disclosures, and

• develop our planned audit approach for significant accounts and disclosures.
Planning is described in the following chart:

Planning an audit involves establishing the overall audit strategy for the engagement and developing an audit plan to reduce
audit risk to an acceptably low level. The involvement of the engagement partner and other key members of the
engagement team in planning the audit draws on their experience and insight thereby enhancing the effectiveness and
efficiency of the planning process. [3070]
Adequate planning helps to devote the appropriate attention to important areas of the audit, to identify and resolve potential
problems on a timely basis, and to properly organize and manage the audit engagement so that it is performed in an
effective and efficient manner. Adequate planning also assists in the proper assignment of work to engagement team
members, facilitates the direction and supervision of engagement team members and the review of their work, and assists,
where applicable, in coordination of work done by auditors of components, KPMG specialists and external experts. The
nature and extent of planning activities will vary according to the size and complexity of the entity, our previous experience
with the entity, and changes in circumstances that occur during the audit engagement. [3071]

Although planning for SE and VSE engagements may not be carried out until after year-end, all planning activities
are completed and documented in the SE Planning Document or VSE Planning and Completion Document, as
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
appropriate, before we begin activities related to Control Evaluation and Substantive Testing. Effective planning
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
results in an effective and efficient audit.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 31 / 133
where applicable, in coordination of work done by auditors of components, KPMG specialists and external experts. The
nature and extent of planning activities will vary according to the size and complexity of the entity, our previous experience
with the entity, and changes in circumstances that occur during the audit engagement. [3071]
International Audit Workbook (Interntional Audit Workbook)

Although planning for SE and VSE engagements may not be carried out until after year-end, all planning activities
are completed and documented in the SE Planning Document or VSE Planning and Completion Document, as
appropriate, before we begin activities related to Control Evaluation and Substantive Testing. Effective planning
results in an effective and efficient audit.

3.1. Preliminary Engagement Activities


Our consideration of client and engagement continuance and ethical requirements, including independence, occurs
throughout the performance of the audit engagement as conditions and changes in circumstances occur. However, our
initial procedures on both client and engagement acceptance or continuance and evaluation of ethical requirements
(including independence) are performed prior to performing other significant activities for the current audit engagement.
For continuing audit engagements, such initial procedures often occur shortly after (or in connection with) the completion of
the previous audit. [3061]
The purpose of performing these preliminary engagement activities is to assist us in identifying and evaluating events or
circumstances that may adversely affect our ability to plan and perform the audit engagement to reduce audit risk to an
acceptably low level. Performing these preliminary engagement activities enable us to plan an audit engagement for which:
[3062]

• we maintain the necessary independence and ability to perform the engagement

• there are no issues with management integrity that may affect our willingness to continue the
engagement, and

• there is no misunderstanding with the client as to the terms of the engagement.

Risks identified in the client/engagement acceptance/continuance process serve as a starting


point for identifying financial statement level and assertion level risks, including fraud risks.
[3605]
It is important that the appropriate members of the engagement team be made aware of these
identified risks, so that the risks can be appropriately addressed during Planning.

3.2. Kickoff Discussion


Early in audit Planning, we may have a kickoff discussion to share among key engagement team members, including KPMG
specialists when appropriate, our collective knowledge about the entity and its environment and perspectives on how the
audit will be approached, as well as our activities during Planning. [3099]
A kickoff discussion may help us in planning the risk assessment procedures to be performed to obtain a sufficient
understanding of the entity and its environment. Understanding the entity and its environment is an essential aspect of
performing an audit. In particular, that understanding establishes a frame of reference within which we plan the audit and
exercise professional judgment about assessing risks of material misstatement of the financial statements and responding
to those risks throughout the audit. [3329]/[3327]

The engagement team may use the Practice Aid - Example Kickoff Discussion Agenda, available
on ARO, to assist the engagement team to effectively conduct this discussion. This practice aid
contains examples of topics that may be addressed in the kickoff discussion. [3101]

Depending on the size and complexity of the engagement, as well as other circumstances that
may be relevant in the judgment of the engagement partner, the optional kickoff discussion and
the required risk assessment and planning discussion, addressed later in this chapter, may be
either combined or split into a series of discussions. [3104.1]

In practice, the kickoff discussion may be held in different ways and involve different
engagement team members based on the judgment of the engagement partner. For smaller
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
engagements, an informal discussion between the partner and manager might be appropriate
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
while on a more complex engagement the involvement of the in-charge or KPMG specialists
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
might be more effective. [3102]
Page 32 / 133
may be relevant in the judgment of the engagement partner, the optional kickoff discussion and
the required risk assessment and planning discussion, addressed later in this chapter, may be
either combined or split into a series
International of discussions.
Audit Workbook [3104.1]
(Interntional Audit Workbook)

In practice, the kickoff discussion may be held in different ways and involve different
engagement team members based on the judgment of the engagement partner. For smaller
engagements, an informal discussion between the partner and manager might be appropriate
while on a more complex engagement the involvement of the in-charge or KPMG specialists
might be more effective. [3102]

3.3. Engagement Scope


The engagement scope is by the financial reporting and auditing frameworks, as well as industry specific or regulatory
requirements related to financial reporting, if any, relevant to our audit. [3106]
The engagement scope considers the following: [3107]

Applicable financial In most cases, the applicable financial reporting framework will be that of the
reporting framework, jurisdiction in which the entity is registered or operates and the KPMG office is
including regulatory located, and we and the entity will have a common understanding of that framework.
requirements related to In some cases, there may be no local financial reporting framework, in which case
financial reporting the entity's choice will be governed by local practice, industry practice, user needs, or
other factors.
For example, the entity's competitors may apply IFRS and the entity may determine
that IFRS are also appropriate for its financial reporting requirements.
For example, regulations on accounting or financial reporting required by the U.S.
Securities & Exchange Commission (U.S.-SEC) or a stock exchange

Applicable auditing For example, International Standards on Auditing (ISA), national GAAS, and/or laws
standards, including or regulations determining those standards.
legislative and regulatory
requirements

Industry specific We consider whether local regulations specify certain financial reporting
requirements related to requirements for the industry in which the entity operates.
financial reporting
For example, additional accounting or financial reporting rules for financial
institutions.

Other terms of the For example, specific requirements as set forth in the engagement letter, such as
engagement deliverables in addition to the audit report on the financial statements, timing
requirements, or expected communications to management or those charged with
governance.

Other information that will For example, regulatory filing documents of listed companies, such as the Form 10-K
include financial statements for an entity subject to regulation by the U.S.-SEC.
or our report to be read as
part of our audit

In Vector, you define what industry sector the client operates in and the location of its
operations. The decisions made relating to the industry determine the additional knowledge that
is delivered to the user to aid in the completion of the engagement, for example, industry-
specific substantive audit procedures (only available for certain industries). Once you have
decided on the appropriate industry-country combination, you use the workflow drop-down menu
to select the appropriate workflow, namely FSA, SE, VSE, IA, or LCE.

3.4. Audit Strategy Decisions


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
The overall audit strategy sets the scope, timing, and direction of the audit, and guides the development of the more
detailed audit plan. [3079] Page 33 / 133
specific substantive audit procedures (only available for certain industries). Once you have
decided on the appropriate industry-country combination, you use the workflow drop-down menu
to select the appropriate workflow, namely FSA, SE, VSE, IA, or LCE.
International Audit Workbook (Interntional Audit Workbook)

3.4. Audit Strategy Decisions


The overall audit strategy sets the scope, timing, and direction of the audit, and guides the development of the more
detailed audit plan. [3079]
The audit strategy considers the results of preliminary engagement activities and, where practicable, experience gained on
other engagements performed for the entity. [3078]
After the preliminary engagement activities have been performed and the scope of the engagement has been determined,
we make audit strategy decisions relating to the following matters: [3110]

Materiality Our consideration of materiality when planning and performing audit procedures
includes the concepts of: [3124]

• materiality for planning purposes

• significant misstatement threshold

• audit difference posting thresholds.

Timing of audit activities Ordinarily, we document the following matters that pertain to timing of audit
activities: [3184]

• external deliverables

• fieldwork

• other activities, such as:


- specific audit procedures (i.e., physical inventory
observation and confirmation of accounts receivable)
- meetings and other communication with management and
those charged with governance
- team meetings and other communications among
engagement team members.

Team assignments, We plan and document the role, the name, and the key responsibilities of
including KPMG specialists engagement team members that are unique to the audit engagement. [3212]
The nature, timing, and extent of resources necessary to perform the engagement
include consideration of the following: [3207]

• the resources to deploy for specific audit areas


For example, the use of appropriately experienced team members for high-
risk areas or the involvement of KPMG specialists or external experts on
complex matters.

• the extent of resources to allocate to specific audit areas


For example, the number of team members assigned to observe the
inventory count at material locations, the extent of review of other auditors'
work in the case of group audits, and the audit budget in hours to allocate
to high-risk areas.

• when these resources are deployed, and


For example, whether at an interim audit stage or at key cutoff dates.

• how such resources are managed, directed, and supervised.


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
For example, when team meetings and engagement partner and manager
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
reviews are expected to take place.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Communication with We plan and document the planned communication with the engagement quality Page 34 / 133
reviewing partners control reviewer, the IFRS reviewing partner, the filing review partner and other
to high-risk areas.

• when these resources are deployed, and


International
For example, Audit Workbook
whether at (Interntional
an interimAudit Workbook)
audit stage or at key cutoff dates.

• how such resources are managed, directed, and supervised.


For example, when team meetings and engagement partner and manager
reviews are expected to take place.

Communication with We plan and document the planned communication with the engagement quality
reviewing partners control reviewer, the IFRS reviewing partner, the filing review partner and other
reviewing partners (if applicable), its timing, and the team members responsible for
that communication. [3227]

Involvement of others We plan and document the involvement of other KPMG locations and the subject
matter and audit scope of their involvement, including specific audit procedures (for
example, an inventory observation). [3240]/[3240.1]
We also plan whether others will be involved, such as internal auditing, service
organizations, and external experts.

We plan the nature, timing, and extent of direction and supervision of engagement team

! members based on the assessed risk of material misstatement. As the assessed risk of material
misstatement increases, for the area of audit risk, we ordinarily increase the extent and
timeliness of direction and supervision of engagement team members and perform a more
detailed review of their work. Similarly, we plan the nature, timing, and extent of review of the
engagement team's work based on the capabilities and competence of the individual team
members performing the audit work. [3221]

Establishing the audit strategy will vary according to the size of the entity and the complexity of
the audit. [3080.1]

Due to the nature of an SE engagement, it is expected that the "Involvement of Others" section of the SE Planning
Document will often not be applicable. In those instances, the section is marked as such.

3.4.1 Materiality
Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and presentation of
financial statements. Although financial reporting frameworks may discuss materiality in different terms, they generally
explain that: [3115]

• misstatements, including omissions, are considered to be material if they, individually or in the


aggregate, could reasonably be expected to influence the economic decisions of users taken on
the basis of the financial statements

• judgments about materiality are made in light of surrounding circumstances, and are affected by
the size or nature of a misstatement, or a combination of both

• judgments about matters that are material to users of the financial statements are based on a
consideration of the common financial information needs of users as a group. The possible effect
of misstatements on specific individual users, whose needs may vary widely, is not considered,
and

• judgments about materiality are made in relation to the relevant financial reporting period.
We should consider materiality when: [ISA 320.8] [3118]

• determining the nature, timing, and extent of audit procedures, and

• evaluating the effect of misstatements.


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Materiality for planning purposes (MPP) represents a quantitative measurement of the magnitude of an omission
or misstatement in the financial statements that, in light of the surrounding circumstances, makes it probable that Page 35 / 133
economic decisions of users would have been changed or influenced by the omission or misstatement.
• judgments about materiality are made in relation to the relevant financial reporting period.
We should consider materiality when: [ISA 320.8] [3118]

• determining the nature, timing,International


and extent Audit
of Workbook (Interntional and
audit procedures, Audit Workbook)

• evaluating the effect of misstatements.

Materiality for planning purposes (MPP) represents a quantitative measurement of the magnitude of an omission
or misstatement in the financial statements that, in light of the surrounding circumstances, makes it probable that
economic decisions of users would have been changed or influenced by the omission or misstatement.
Materiality for planning purposes is determined at the financial statement level.

To determine MPP, we select an appropriate benchmark and then apply an appropriate percentage to that benchmark.

Selecting the benchmark


The engagement partner exercises professional judgment when determining an appropriate benchmark on which to
determine MPP. [3134]
Examples of benchmarks that may be appropriate, depending on the nature and circumstances of the particular entity,
include profit or loss before tax, total revenue, total expenses, total assets, and net assets. [3135]
Factors to consider in determining an appropriate benchmark include: [3136]

• the elements of the financial statements (e.g., assets, liabilities, equity, revenue, and expenses).
For purposes of determining MPP, we do not use financial measures that are not defined in a
financial reporting framework (e.g., non-GAAP measures), such as EBITDA

• whether there are items on which the attention of the users of the financial statements tends to
be focused (e.g., for purposes of evaluating financial performance, users may tend to focus on
profit, revenue, or net assets)

• the nature of the entity, where the entity is in its life cycle, and the industry and economic
environment in which the entity operates, and

• the entity's ownership structure, or the way it is financed (for example, if an entity is financed
solely by debt rather than equity, users may put more emphasis on assets, and claims on them,
than on the entity's earnings)

Profit or loss before tax is often used as the benchmark for profit-oriented entities. For asset-
based entities (for example, an investment fund), an appropriate benchmark may be net assets.
For not-for-profit entities, an appropriate benchmark may be total assets or total expenses.
[3137]

It is expected that the benchmark and the percentage to be applied to the benchmark we use for

! determining MPP ordinarily will be consistent from period to period unless a change is
considered appropriate due to a significant change in the circumstances of the entity, or a
substantive change in our perception of the needs of the users of the financial statements. If we
change the benchmark and/or percentage to be applied to the benchmark from that used in
previous audits, we document in Attachment I to the Planning Document our rationale for the
change. [3139]

Setting the value of the benchmark


Once an appropriate benchmark has been selected, relevant financial data to be used in determining MPP is identified.
Relevant financial data ordinarily includes the period-to-date financial results and financial position; budgets or forecasts for
the current period; prior periods' financial results and financial position, adjusted for significant changes in the
circumstances of the entity (for example, a significant business acquisition); and relevant changes of conditions in the
industry or economic environment in which the entity operates. [3141]
For example, when, as a starting point, materiality for planning purposes is determined for a particular entity based on a
percentage of profit before tax, circumstances that give rise to an unusual decrease or increase in profit before tax, such as
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
significant restructuring charges, may lead the engagement partner to conclude that MPP is more appropriately determined
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
using a normalized profit or loss before tax based on past results (normalized basis).
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

As another example, when an entity's profit before tax is consistently nominal, as might be the case for an owner-managed
Page 36 / 133
business where the owner takes much of the profit before tax in the form of remuneration, the engagement partner may
Relevant financial data ordinarily includes the period-to-date financial results and financial position; budgets or forecasts for
the current period; prior periods' financial results and financial position, adjusted for significant changes in the
circumstances of the entity (for example, a significant business acquisition); and relevant changes of conditions in the
industry or economic environment in which International
the entityAudit Workbook [3141]
operates. (Interntional Audit Workbook)

For example, when, as a starting point, materiality for planning purposes is determined for a particular entity based on a
percentage of profit before tax, circumstances that give rise to an unusual decrease or increase in profit before tax, such as
significant restructuring charges, may lead the engagement partner to conclude that MPP is more appropriately determined
using a normalized profit or loss before tax based on past results (normalized basis).
As another example, when an entity's profit before tax is consistently nominal, as might be the case for an owner-managed
business where the owner takes much of the profit before tax in the form of remuneration, the engagement partner may
conclude that MPP is more appropriately determined by reference to profit before tax, adjusted for owner remuneration and
related income tax.

Determining the percentage applied to the benchmark


Determining a percentage to be applied to a chosen benchmark involves the exercise of professional judgment and
consideration of the expectations and needs of the users of the financial statements. [3145]

Where MPP is determined by reference to a net benchmark measure (e.g., profit or loss before

! tax or net assets), the percentage to be applied to the benchmark ordinarily falls between 3 and
10% (inclusive). [3146]

Where MPP is determined by reference to a gross benchmark measure (e.g., total revenue, total
expenses, or total assets), the percentage to be applied to the benchmark ordinarily falls
between 0.5 and 2% (inclusive). [3146]

The engagement partner considers the following factors in determining the percentage to be applied to the benchmark. The
factors below are meant to be illustrative; there may be other factors that impact the determination of the percentage to be
applied to the benchmark based on engagement specific circumstances. [3147]

Factor Higher percentageLower percentage

Concentration of • Concentration of ownership in • Listed or public interest entity


ownership/and (or) a small number of well
management informed individuals

Debt arrangements • Limited debt • Publicly traded debt

• Debt arrangements where • Loan covenants sensitive to


lenders have access to operating results
management information and
do not rely solely on audited
financial statements

Business environment • The entity operates in a • The entity operates in a


stable business environment volatile business environment

• The operations of the entity • The entity has complex


are relatively less complex operations and/or diverse
and few core business business processes
processes in which the entity
is involved • The entity operates in
locations which are subject to
• The entity provides a limited political instability
number of products or
services

• The entity has a viable


sustainable business

Other sensitivities • No financial regulators • Operate in a highly regulated


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
industry
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• Few changes in stakeholders
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
have occurred or are • Intention to list or register
expected securities Page 37 / 133
services

• The entity has a viable


sustainable business
International Audit Workbook (Interntional Audit Workbook)

Other sensitivities • No financial regulators • Operate in a highly regulated


industry
• Few changes in stakeholders
have occurred or are • Intention to list or register
expected securities

• Few external users of the • Recent or expected sale of


entity's financial statements the entity

• Impact that misstatements


might have on Earnings Per
Share (EPS), and extent to
which a change in EPS
influences the users of the
financial statements

Concurrence from the EQCR in relation to materiality

For U.S. SEC registrants, it ordinarily is expected that engagement teams will determine materiality for planning purposes
not higher than 5 percent of profit or loss before tax, or 0.5 percent of total assets or revenues, as appropriate. [3148]

If the engagement partner believes that a benchmark other than profit or loss before tax, total

! assets or total revenues is a more appropriate benchmark for determining materiality for
planning purposes, or that a higher percentage than those noted above is appropriate under the
circumstances, the engagement partner obtains concurrence from the engagement quality
control reviewer for the benchmark and/or percentage prior to commencing significant audit
procedures. [3148]

Significant misstatement threshold (SMT)


SMT is set to reduce to an appropriately low level the probability that the total of uncorrected and undetected
misstatements in the financial statements exceeds MPP. [3159.1]
We determine SMT for purposes of assessing the risks of material misstatement and determining the nature, timing, and
extent of further audit procedures. [3159]

The engagement partner uses MPP as a starting point to determine SMT. SMT cannot exceed

! 75% of MPP. [3159]

The presence of one or more of the following factors may indicate that a lower SMT may be appropriate. The factors below
are meant to be illustrative; there may be other factors that impact the determination of SMT based on engagement specific
circumstances. [3159.3]

• weak control environment

• entity with a history of material weaknesses and/or a number of control deficiencies

• high turnover of senior management

• entity with a history of large or numerous misstatements in previous audits

• entity with more complex accounting issues and significant estimates, and

• entity that operates in a number of locations.


We determine whether, in the specific circumstances of the entity, there are particular classes of transactions, account
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
balances, or disclosures for which misstatements of lesser amounts than our SMT level could reasonably be expected to
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
influence the economic decisions of users. In such circumstances, we apply professional judgment to determine one or
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
more lower levels of SMT to be applied to those particular classes of transactions, account balances, or disclosures.
Page 38 / 133
[3159.4]
• entity with a history of large or numerous misstatements in previous audits

• entity with more complex accounting issues and significant estimates, and
International Audit Workbook (Interntional Audit Workbook)
• entity that operates in a number of locations.
We determine whether, in the specific circumstances of the entity, there are particular classes of transactions, account
balances, or disclosures for which misstatements of lesser amounts than our SMT level could reasonably be expected to
influence the economic decisions of users. In such circumstances, we apply professional judgment to determine one or
more lower levels of SMT to be applied to those particular classes of transactions, account balances, or disclosures.
[3159.4]
For example, the users of the financial statements may be more sensitive to quantitatively smaller misstatements related to
disclosures regarding directors' remuneration or related-party transactions than for other significant accounts or
disclosures. The engagement team may determine that the significant misstatement threshold for these items should be
lower than that determined for other areas of the audit. [3159.4]
Similarly, nonrecurring revenue may turn a loss into a profit or reverse the trend of earnings from a downward to an
upward trend. The economic decisions of a user may be affected by a failure to disclose separately a nonrecurring item of
revenue of that magnitude. Therefore, the engagement team may determine that a lower significant misstatement
threshold for nonrecurring revenue would be appropriate. [3159.4]

Audit difference posting threshold


We specify an amount below which we consider audit differences, if they exist, to be clearly trivial. We refer to this clearly
trivial amount as the audit difference posting threshold. [3166]
Amounts stated as clearly trivial are a matter of judgment, whereby the financial statements would not be materially
misstated if audit differences below the specified amount, if any, aggregated with other audit differences, are not corrected.
[3169]

The engagement team determines the audit difference posting threshold, which ordinarily falls

! between 3 to 5% of MPP. [3167]


The engagement partner may, for reclassification misstatements of the balance sheet only or the
income statement only, determine an audit difference posting threshold that exceeds 3 to 5% of
materiality for planning purposes. In such cases, the engagement partner discusses the audit
difference posting threshold with the engagement quality control reviewer, when the
engagement requires an engagement quality control review. [3175]

When determining the audit difference posting threshold, we consider factors similar to those discussed for MPP and SMT.
After consideration of qualitative factors, we may determine that a lower percentage is appropriate for the audit difference
posting threshold. [3170]
Audit differences detected below the audit difference posting threshold need not be summarized in the Summary of Audit
Differences, and the relevant working paper is annotated to indicate that the difference is considered clearly trivial.
However, we consider their qualitative aspects. [3171]
The qualitative consideration of such clearly trivial audit differences is usually limited to a consideration of whether such
audit differences: [3172]

• relate to a related party or transactions with a related party

• may indicate the possible existence of fraud, or

• individually or in the aggregate may be indicators of control deficiencies.


If an amount is considered qualitatively significant but is below the audit difference posting threshold, it is included in the
Summary of Audit Differences as an audit difference. [3173]

Revisions to MPP, SMT, and ADPT


MPP is revised during the course of conducting the audit in the event we become aware of information that would have
significantly modified MPP determined during planning. [3152]
Where the engagement team revises MPP downward from the amount determined during planning, the related SMT(s) also
is revised downward, and further audit procedures may need to be performed to obtain sufficient appropriate audit
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
evidence. [3163]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Where MPP has been revised downward from the amount determined at planning, we revise the audit difference posting
Page 39 / 133
threshold accordingly, or document why it is not necessary to revise the audit difference posting threshold. [3177]
Revisions to MPP, SMT, and ADPT
MPP is revised during the course of conducting the audit in the event we become aware of information that would have
International
significantly modified MPP determined during Audit [3152]
planning. Workbook (Interntional Audit Workbook)

Where the engagement team revises MPP downward from the amount determined during planning, the related SMT(s) also
is revised downward, and further audit procedures may need to be performed to obtain sufficient appropriate audit
evidence. [3163]
Where MPP has been revised downward from the amount determined at planning, we revise the audit difference posting
threshold accordingly, or document why it is not necessary to revise the audit difference posting threshold. [3177]

3.5. Risk Assessment Procedures

Risk assessment procedures are the audit procedures performed to: [9221]

• obtain an understanding of the entity and its industry and environment, including its
internal control, and

• assess the risks of material misstatement at the financial statement and assertion levels.

We perform the following risk assessment procedures to obtain an understanding of the entity and its environment,
including internal control: [3335]

Inquiries of management Much of the information we obtain by inquiries may be useful in providing us with a
and others within the entity different perspective in identifying risks of material misstatement. Therefore, we
make inquiries of management and those responsible for financial reporting; others
within the entity, such as production and internal audit personnel; and other
employees with different levels of authority. [3339]
Our risk assessment procedures include inquiries of management, those charged
with governance, internal audit, and others to identify and assess risks of material
misstatement related to fraud, going concern, laws and regulations, litigation and
claims, and related parties as described in the Audit Program for Specific Topics.

Analytical procedures We apply analytical procedures as risk assessment procedures to obtain an


understanding of the entity and its environment. [3342.1]
Analytical procedures may be helpful in identifying the existence of unusual
transactions or events and amounts, ratios, and trends that might indicate matters
that have financial statement and audit implications. [3344]
Analytical procedures include procedures related to revenue accounts with the
objective of identifying unusual or unexpected relationships that may indicate a risk of
material misstatement due to fraudulent financial reporting.

Observation and inspection Observation and inspection may support inquiries of management and others as well
as provide information about the entity and its environment. Such audit procedures
ordinarily include the following: [3347]

• observation of entity activities and operations

• inspection of documents, records, and internal control manuals

• reading reports prepared by management and those charged


with governance

• visits to the entity's premises and plant facilities, and

• tracing transactions through the information system(s) relevant


to financial reporting (walkthroughs).

An optional Practice Aid - Example Risk Assessment Inquiries is available on ARO to help
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
engagement team members in identifying the appropriate entity personnel and the related
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
matters to be discussed and coordinating such inquiries (e.g., to be able to conduct all inquiries
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
in one or a number of limited discussions with the appropriate individual, when possible and
Page 40 / 133
appropriate). [3340.1]
• tracing transactions through the information system(s) relevant
to financial reporting (walkthroughs).
International Audit Workbook (Interntional Audit Workbook)

An optional Practice Aid - Example Risk Assessment Inquiries is available on ARO to help
engagement team members in identifying the appropriate entity personnel and the related
matters to be discussed and coordinating such inquiries (e.g., to be able to conduct all inquiries
in one or a number of limited discussions with the appropriate individual, when possible and
appropriate). [3340.1]

An optional Practice Aid - Example Analytical Procedures, available on ARO, provides examples
of matters that we may consider when obtaining an understanding of the measurement and
review of the entity's financial performance (aggregated and disaggregated). [3509]

The extent of risk assessment procedures to be performed varies depending on the specific circumstances of the
engagement. At a minimum, we perform: [3356]

• risk assessment procedures - related to specific topics

• an inquiry of other KPMG engagement partners or engagement managers involved in nonaudit


services provided, if any, about possible risks of material misstatement

• inquiries of management about changes in the entity's business and its environment, including
internal control

• an analytical review of financial information for planning purposes, and

• an analysis of the results of interim reviews performed, if any.

Risk assessment procedures are carried out during the Planning phase of the audit although the nature of some
SE and VSE engagements may preclude the engagement team from completing the planning prior to year-end.
Completing planning after year-end does not change the nature and extent of risk assessment procedures,
however, for an SE or VSE engagement, the nature and extent of operations may not require the performance of
as extensive risk assessment procedures to obtain an understanding of the entity as may be required in a more
complex engagement.

Planning risk assessment procedures facilitates an effective audit. A kickoff discussion may help
us in planning the risk assessment procedures to be performed to obtain a sufficient
understanding of the entity and its environment. Upfront planning of risk assessment procedures
also provides the opportunity for the engagement partner and manager to direct the
engagement team where to focus its work, and to share their experience and background
knowledge about the industry and the entity. [3329]
For recurring engagements, where we may use our understanding obtained in prior period
audits, identifying significant changes in any of the above aspects of the entity from prior periods
is particularly important in gaining a sufficient understanding of the entity to identify and assess
risks of material misstatement.
We also use our understanding from risk assessment procedures performed as part of
engagements to review interim financial information. [3329.1]/[3355]

3.6. Understanding the Entity


Our understanding of the entity, which we obtain by performing risk assessment procedures, consists of an understanding
of the following aspects: [3377]

Business, industry, and The nature of an entity refers to its operations, ownership, governance, types of
environment investments, the way it is structured, and how it is financed. An understanding of the
nature of an entity enables us to understand the classes of transactions, account
balances derived from estimates, other account balances, and disclosures to be
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
expected in the financial statements. [3394]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
The industry in which the entity operates may give rise to specific risks of material
misstatement arising from the nature of the business or the degree of regulation. Page 41 / 133
[3443]
of the following aspects: [3377]

Business, industry, and The natureInternational


of an entity refers
Audit to its
Workbook operations,
(Interntional Auditownership,
Workbook) governance, types of
environment investments, the way it is structured, and how it is financed. An understanding of the
nature of an entity enables us to understand the classes of transactions, account
balances derived from estimates, other account balances, and disclosures to be
expected in the financial statements. [3394]
The industry in which the entity operates may give rise to specific risks of material
misstatement arising from the nature of the business or the degree of regulation.
[3443]
An understanding of the legal and regulatory environment includes procedures to
assist the engagement team to: [3452]

• obtain an understanding of the legal and regulatory framework


applicable to the entity and its industry

• identify instances of noncompliance with laws and regulations,


including possible illegal acts

• evaluate the design and implementation of the entity's policies,


procedures, and controls regarding compliance with the
applicable legal and regulatory framework, including controls to
prevent and detect noncompliance and illegal acts.
We also consider the entity's economic, political, and social environment. [3020]

Accounting policies and We obtain an understanding of the entity's selection and application of accounting
practices policies and consider whether they are appropriate for its business and consistent
with the applicable financial reporting framework and accounting policies used in the
relevant industry. [3454]
Our understanding of the entity's accounting policies and practices addresses the
following matters: [3022] [3458]

• applicable financial reporting framework, including:


- new accounting standards
- controversial or emerging areas with lack of authoritative
guidance or consensus
- regulatory (financial reporting and tax-related) inquiries,
investigations, and/or enforcement action and
- changes to the selection and application of accounting
policies by the entity, including initial selection and
application

• critical accounting policies, and

• impact of the entity's structure on financial reporting.

Financial performance Performance measures and their review indicate to us aspects of the entity's
performance that management and others consider to be of importance.
Performance measures, whether external or internal, create pressures on the entity
that, in turn, may motivate management to take action to improve the business
performance or to misstate the financial statements. Therefore, obtaining an
understanding of the entity's performance measures assists us in considering
whether such pressures result in management actions that may have increased the
risks of material misstatement. [3486]
Our understanding of the entity's financial performance addresses the following
matters: [3487]

• external expectations
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• analyses prepared by the entity as well as analysis performed
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
by KPMG and the related results
Page 42 / 133
• events or conditions raising doubt about the entity's ability to
risks of material misstatement. [3486]
Our understanding of the entity's financial performance addresses the following
International Audit Workbook (Interntional Audit Workbook)
matters: [3487]

• external expectations

• analyses prepared by the entity as well as analysis performed


by KPMG and the related results

• events or conditions raising doubt about the entity's ability to


continue as a going concern.

Entity level controls Entity level controls are internal controls that operate at the entity level rather than at
the specific assertion level. [3028.1.1]
Entity level controls often have a pervasive impact on control activities over classes of
transactions, account balances derived from estimates, other account balances, and
disclosures. For that reason, as a practical consideration, we evaluate the design and
implementation of entity level controls during Planning, because the results of that
work might impact the effectiveness of control activities over accounting activities and
financial reporting. [3546]

Instances or concerns of We perform the risk assessment procedures related to misconduct or unethical
misconduct or unethical behavior by the entity management or personnel or those charged with governance.
behavior related to [3550]
financial reporting [3377.1]

We document key elements of the understanding obtained regarding each of the aspects of the
entity and its environment, including each of the internal control components, to assess the risks
of material misstatement of the financial statements, and the sources of information from which
the understanding was obtained. [3378]
The form and extent of this documentation is influenced by the nature, size, and complexity of
the entity and its internal control, and availability of information from the entity. Ordinarily, the
more complex the entity and the more extensive the audit procedures performed, the more
extensive our documentation will be. [3379]
We only document information that is relevant to our audit of the financial statements. [3384]

When obtaining an understanding of the entity for an SE or VSE engagement, we consider the following:

•  such entities ordinarily do not have formal processes to measure and review the entity's
financial performance. Management nevertheless often relies on certain key indicators
that knowledge and experience of the business suggest are reliable bases for evaluating
financial performance and taking appropriate action.

•  such entities may not have "formal" or "documented" entity level controls that have
been effectively designed and implemented. In such cases, we identify the control
deficiencies and determine the effect on our planned audit approach and audit strategy.

•  such entities may not have a process in place to formally report concerns of misconduct
or unethical behavior. In such instances, we rely on inquiries with management, those
charged with governance, and others in the entity.

•  the form and extent of our documentation is influenced by the nature, size, and
complexity of the entity and its internal control, and the availability of information from
the entity. Ordinarily, audits of less complex entities will result in less extensive
documentation of our understanding of the entity.

The AlacraTM Company Book and the Alacra Industry Book are optional tools available in a
downloadable format at http://kpmgaasc.alacra.com/kpmgaasc/ that may be useful to obtain
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
updated information regarding a given chosen company or its industry (Alacra is a registered
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
trademark of Alacra, Inc.). [3388]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

The Company Book is focused on providing items containing third-party comments on the Page 43 / 133
company, such as news and analyst reports. [3389]
the entity. Ordinarily, audits of less complex entities will result in less extensive
documentation of our understanding of the entity.
International Audit Workbook (Interntional Audit Workbook)

The AlacraTM Company Book and the Alacra Industry Book are optional tools available in a
downloadable format at http://kpmgaasc.alacra.com/kpmgaasc/ that may be useful to obtain
updated information regarding a given chosen company or its industry (Alacra is a registered
trademark of Alacra, Inc.). [3388]
The Company Book is focused on providing items containing third-party comments on the
company, such as news and analyst reports. [3389]
The Industry Book provides information on an industry and country to assist in obtaining an
understanding of a client's business. [3390]

3.7. Risk Assessment and Planning Discussion


Usually, we hold a risk assessment and planning discussion after we have completed our risk assessment procedures,
obtained our understanding of the entity, and made a preliminary determination of identified risks and our planned audit
approach. [3559.1]
We document the date of the discussion, participants, and topics discussed in the Planning Document. [3566.2]
Decisions made regarding financial statement and assertion level risks, our planned audit approach at the assertion level for
significant accounts and disclosures, and our audit strategy decisions are documented in the relevant section of the Planning
Document. [3566.3]
This discussion includes, at a minimum, the following topics: [3560.1]

• the importance of professional skepticism and the need to maintain a questioning mind, setting
aside any of our prior beliefs that management is honest and has integrity, at all times during the
audit, particularly whenever circumstances indicating possible misstatements due to fraud or
error are encountered and to be rigorous in following up on such indications

• the responsibilities of engagement team members (which include maintaining an objective state
of mind and appropriate level of professional skepticism, performing the work delegated to them
in accordance with the ethical principle of due care, and promptly communicating to the
engagement partner any identified fraud risk indicators or possible illegal acts)

• our audit strategy decisions, including the determination of materiality for planning purposes and
significant misstatement threshold and how these will be used to determine the extent of testing

• our understanding of the entity resulting from our risk assessment procedures

• how the entity's accounting policies, including unusual accounting procedures, address the
application of the applicable financial reporting framework to the entity's facts and circumstances

• a consideration of the known external and internal factors affecting the entity that may create an
incentive or pressure for management or others to commit fraud, provide the opportunity for
fraud to be perpetrated, and indicate a culture or environment that enables management or
others to rationalize committing fraud (the "fraud triangle")

• a consideration of the risk of management override of controls, including override through journal
entries and other audit adjustments, significant accounting estimates, or significant unusual
transactions, and the risk of fraudulent revenue recognition

• the susceptibility of the entity's financial statements to material misstatements, whether caused
by fraud or error, with special emphasis on fraud

• identified risks at the financial statement level

• identified inherent risks at the assertion level for significant accounts and disclosures and the
planned audit approach

• a consideration of how unpredictability will be incorporated into the nature, timing, and extent of
the audit procedures to be performed
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• the firm's policies and procedures for dealing with and resolving disagreements among
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
engagement team members, including KPMG specialists, or with the engagement quality control
reviewer or others consulted, and that such matters may be brought to the attention of the Page 44 / 133
engagement partner without fear of reprisal, and
• identified inherent risks at the assertion level for significant accounts and disclosures and the
planned audit approach
International Audit Workbook (Interntional Audit Workbook)
• a consideration of how unpredictability will be incorporated into the nature, timing, and extent of
the audit procedures to be performed

• the firm's policies and procedures for dealing with and resolving disagreements among
engagement team members, including KPMG specialists, or with the engagement quality control
reviewer or others consulted, and that such matters may be brought to the attention of the
engagement partner without fear of reprisal, and

• matters to be communicated to members of the team (including KPMG specialists and both
originating and participating locations) not involved in the discussion.
The objective of the risk assessment and planning discussion is for members of the engagement team to gain a better
understanding of the potential for material misstatements of the financial statements resulting from fraud or error in the
specific areas assigned to them, and to understand how the results of the audit procedures that they perform may affect
other aspects of the audit, including the decisions about the nature, timing, and extent of further audit procedures. [3561.1]
The discussion provides an opportunity for more experienced engagement team members, including the engagement
partner, to share their insights based on their knowledge of the entity, and for the team members to exchange information
about the business risks to which the entity is subject and about how and where the financial statements might be
susceptible to material misstatement, including material misstatement due to fraud. Particular emphasis is given to the
discussion of the susceptibility of the entity's financial statements to material misstatement due to fraud. [3561.4]

3.8. Summary of Identified Risks


We should identify and assess the risks of material misstatement at the financial statement level, and at the assertion level
for classes of transactions, account balances derived from estimates, other account balances, and disclosures. [3596.2]

3.8.1 Risk of Material Misstatement


When we perform an audit, we obtain and evaluate audit evidence to obtain reasonable assurance about whether the
financial statements give a true and fair view (or are presented fairly, in all material respects) in accordance with the
applicable financial reporting framework. The concept of reasonable assurance acknowledges that there is a risk the audit
opinion is inappropriate. Audit risk is the risk that we express an inappropriate audit opinion when the financial statements
are materially misstated. [3587]

Audit risk is a function of the risk of material misstatement of the financial statements (i.e., the risk that the
financial statements are materially misstated prior to audit) and the risk that we will not detect such misstatement
("detection risk"). [9039]

We perform audit procedures to assess the risk of material misstatement and seek to limit detection risk by performing
further audit procedures based on that assessment. [3595]
We reduce audit risk by designing and performing audit procedures to obtain sufficient appropriate audit evidence to be able
to draw reasonable conclusions on which to base our audit opinion. Reasonable assurance is obtained when we have
reduced audit risk to an acceptably low level. [3590]

We refer to the risk of material misstatement of the financial statements at the financial statement level (i.e.,
pervasive risk of misstatement) in terms of "risk of material misstatement" or "RoMM," whereas we refer to the
risk of material misstatement of the financial statements at the assertion level in terms of "risk of significant
misstatement" or "RoSM." [3596]

Assertion level fraud risks are addressed separately in the Audit Programs and do not affect our assessment of inherent
risks of error or our assessment of RoSM. [3662.1]

We assess RoSM as "high," "moderate," or "low."


We do not similarly assess and document RoMM. We use RoMM to help assess whether a
financial statement level risk is significant enough to be addressed in our audit strategy or
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
planned audit approach.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
The risk of significant misstatement at the assertion level consists of the two components: [3647]
Page 45 / 133
risks of error or our assessment of RoSM. [3662.1]

International
We assess RoSM as "high," Audit Workbook
"moderate," (Interntional Audit Workbook)
or "low."
We do not similarly assess and document RoMM. We use RoMM to help assess whether a
financial statement level risk is significant enough to be addressed in our audit strategy or
planned audit approach.

The risk of significant misstatement at the assertion level consists of the two components: [3647]

Inherent risk is the susceptibility of an assertion to a misstatement due to error, which could be material,
individually or when aggregated with other misstatements, assuming that there were no related internal controls.
[9133]
For example, accounts consisting of amounts derived from accounting estimates that are subject to significant
measurement uncertainty pose greater risks than do accounts consisting of relatively routine, factual data. [3651]
Control risk is the risk that a misstatement that could occur in an assertion and that could be material, individually
or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis
by the entity's internal control. [9063]

When our assessment of the risk of significant misstatement includes an expectation of the operating effectiveness of
controls, we perform tests of controls to support the control risk component of the assessment of the risk of significant
misstatement. [3658.2]

In order to focus our control and substantive tests appropriately, we identify and define inherent
risks and control risks separately. Without such identification and definition of risks, we may not
design appropriate audit procedures to address the risks.

In order to identify and assess the risks of misstatement, we: [3596.3]

• identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the classes of
transactions, account balances derived from estimates, other account balances, and disclosures
in the financial statements

• relate the identified risks to what can go wrong at the assertion level

• consider whether the risks are of a magnitude that could result in a material misstatement of the
financial statements

• consider the likelihood that the risks could result in a material misstatement of the financial
statements, and

• define audit objectives with respect to the risks.


We use information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating
the design of controls and determining whether they have been implemented, as audit evidence to support the risk
assessment. [3596.4]
We use the risk assessment to determine the nature, timing, and extent of further audit procedures to be performed.
[3596.5]
We determine whether the identified risks of material misstatement relate to specific classes of transactions, account
balances, and disclosures and related assertions, or whether they relate more pervasively to the financial statements as a
whole and potentially affect many assertions. The latter risks (i.e., risks at the financial statement level) may derive in
particular from a weak control environment. [3596.6]

3.8.2 Identified Risks at the Financial Statement Level

Financial statement level risks are risks that result from "big picture" events and conditions or lack of oversight
that could affect financial statements as a whole and may result in a material misstatement due to error or fraud.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
[9109.1], [9110]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 46 / 133
Due to the nature of SE and VSE engagements, it is anticipated that the entity will have a reduced number of
3.8.2 Identified Risks at the Financial Statement Level
International Audit Workbook (Interntional Audit Workbook)

Financial statement level risks are risks that result from "big picture" events and conditions or lack of oversight
that could affect financial statements as a whole and may result in a material misstatement due to error or fraud.
[9109.1], [9110]

Due to the nature of SE and VSE engagements, it is anticipated that the entity will have a reduced number of
financial statement level risks as the conditions that give rise to these risks will be limited.

Risks of material misstatement at the overall financial statement level often relate to the entity's control environment
(although these risks may also relate to other factors, such as changes in the entity or the entity's environment or industry
or other business risks such as declining economic conditions), and are not necessarily risks identifiable with specific
assertions at the class of transactions, account balance derived from an estimate, other account balance, or disclosure
level. Rather, this overall risk represents circumstances that increase the risk that there could be material misstatements in
any number of different financial statement assertions. [3615]
The following are examples of conditions and events that may indicate the existence of financial statement level risks:
[3618]

• operations exposed to volatile markets, such as futures trading

• high degree of complex regulation

• changes in the industry in which the entity operates

• developing or offering new products or services, or moving into new lines of business

• expanding into new locations

• changes in the entity, such as reorganizations or other unusual events

• entities or business segments likely to be sold

• lack of personnel with appropriate accounting and financial reporting skills

• inconsistencies between the entity's IT strategy and its business strategies

• changes in significant new IT systems related to financial reporting, and

• application of new accounting pronouncements.


Such risks may be especially relevant to our consideration of the risk of material misstatement arising from fraud. For
example, through management override of internal control or collusion. [3616]
Our responses to identified financial statement level risks may include: [3639]

• emphasizing to the engagement team the need to maintain professional skepticism in gathering
and evaluating audit evidence

• assigning more experienced staff or those with special skills, or using external experts

• providing more supervision or professional staff

• incorporating additional elements of unpredictability in the selection of further audit procedures to


be performed, and/or

• making general changes to the nature, timing, or extent of audit procedures as an overall
response. For example, performing substantive procedures at period-end instead of at an interim
date.

In addition to the responses above, we consider whether the financial statement level risk
impacts significant accounts and assertions and creates one or more assertion level risks.

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Ineffective or partially effective entity level controls often result in financial statement level risks
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
that affect multiple significant accounts and assertions and, consequently, may also affect our
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
planned audit approach, as illustrated below.
Page 47 / 133
In addition to the responses above, we consider whether the financial statement level risk
impacts significant accounts and assertions and creates one or more assertion level risks.
International Audit Workbook (Interntional Audit Workbook)

Ineffective or partially effective entity level controls often result in financial statement level risks
that affect multiple significant accounts and assertions and, consequently, may also affect our
planned audit approach, as illustrated below.

The results of our evaluation of entity level controls and the effect of such results on our planned audit approach at the
assertion level can be summarized as follows:

Evaluation of entity Effect of entity level controls on our planned audit approach
level controls

Appropriately designed and We may expect to find controls at the assertion level to also be effective and, thus,
implemented we may plan our audit approach for selected audit objectives to include tests of the
operating effectiveness of controls. [3632]

Appropriately designed and We consider the effect of such deficiencies in determining our audit approach at the
implemented, but with a assertion level. [3632.1]
limited number of identified
deficiencies

Not appropriately designed It is less likely that controls at the assertion level are appropriately designed,
or implemented implemented, and operating effectively; therefore, we would apply our audit
approach with an emphasis on substantive procedures. [3632.2]

Smaller entities may have weak entity level controls. If there are such weaknesses, we ordinarily conduct more
audit procedures as of the period-end rather than at an interim date, seek more extensive audit evidence from
substantive procedures, and modify the nature of our audit procedures to obtain more persuasive audit evidence.
Also, it would be unlikely that weak entity level controls would render all assertion level controls unreliable, other
than in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify
relevant controls and consider how the controls are impacted by the weaknesses in entity level controls.

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
3.8.3 Identified Risks at the Assertion Level
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Assertion level risks are risks specifically related to an account balance derived from estimate, an other account Page 48 / 133
balance, a class of transactions, a disclosure, or a specific assertion that may result in a material misstatement
Also, it would be unlikely that weak entity level controls would render all assertion level controls unreliable, other
than in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify
relevant controls and consider how the International
controls are impacted
Audit Workbookby the weaknesses
(Interntional in entity level controls.
Audit Workbook)

3.8.3 Identified Risks at the Assertion Level

Assertion level risks are risks specifically related to an account balance derived from estimate, an other account
balance, a class of transactions, a disclosure, or a specific assertion that may result in a material misstatement
due to error or fraud. [9022]

We consider the risk of material misstatement at the significant account (class of transactions and account balance) and
disclosure level, which we refer to as "risk of significant misstatement at the assertion level" or simply "risk of significant
misstatement" (RoSM), because such consideration directly assists in determining the nature, timing, and extent of further
audit procedures at the assertion level. [3644]
We seek to obtain sufficient appropriate audit evidence at the significant account (class of transactions and account balance)
and disclosure level for audit objectives in a way that enables us, at the completion of the audit, to express an opinion on
the financial statements taken as a whole at an acceptably low level of audit risk. [3644.1]

When we determine the risk of significant misstatement at the assertion level, we are only
concerned with the inherent risk of error. The risk of fraud is addressed separately.

In Vector, the user is able to insert example industry specific assertion level risks directly into the
engagement file by using the Knowledge Task Pane in the Vector document "Summary of
identified risks - Part 2."

3.9. Planned Audit Approach


We should design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed
risks of material misstatement at the assertion level (RoSM). [3673]

Audit strategy vs. planned audit approach


Our overall audit strategy sets the scope, timing, and direction of the audit, and guides the
development of the more detailed audit plan. It includes materiality, timing of audit activities,
team assignments, communications with reviewing partners, and involvement of others. [9197]/
[3110]
Our audit plan converts the audit strategy into a more detailed plan that includes the nature,
timing, and extent of audit procedures to be performed by engagement team members in order
to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.
[9037]
Our planned audit approach addresses risks at the assertion level. It includes whether we plan to
take a controls or substantive approach and the mix of testing we plan to perform for each audit
objective.

The following steps are involved in designing further audit procedures:

3.9.1 Define Significant Accounts and Disclosures

An account is a significant account if there is a reasonable possibility that the account could contain a
misstatement that, individually or when aggregated with others, has a material effect on the financial statements,
considering the risks of both overstatement and understatement. The determination of whether an account is
significant is based on inherent risk, without regard to the effect of controls. [3679]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Significant accounts may be financial statement captions or disaggregated components of financial statement
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
captions consisting of one or more general ledger accounts based on the judgment of the engagement team.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
[3679.0.1]
Page 49 / 133
If there is a reasonable possibility of a misstatement in the account greater than the significant misstatement
An account is a significant account if there is a reasonable possibility that the account could contain a
misstatement that, individually or whenInternational
aggregated with
Audit others,
Workbook has a material
(Interntional effect on the financial statements,
Audit Workbook)
considering the risks of both overstatement and understatement. The determination of whether an account is
significant is based on inherent risk, without regard to the effect of controls. [3679]
Significant accounts may be financial statement captions or disaggregated components of financial statement
captions consisting of one or more general ledger accounts based on the judgment of the engagement team.
[3679.0.1]
If there is a reasonable possibility of a misstatement in the account greater than the significant misstatement
threshold, considering both the risk of overstatement and understatement, the account is considered significant
irrespective of its magnitude. We may determine that an account with a balance that exceeds the significant
misstatement threshold does not have a risk of misstatement greater than the significant misstatement threshold
and is therefore not considered to be significant. [3679.0.2]

A disclosure is a significant disclosure if there is a reasonable possibility that the disclosure could contain a
misstatement that, individually or when aggregated with others, has a material effect on the financial statements,
considering the risks of both overstatement and understatement. The determination of whether a disclosure is
significant is based on inherent risk, without regard to the effect of controls. [9239.2]

In Vector, the user is able to insert example accounts and disclosures directly into the
engagement file by using the Knowledge Task Pane in the Vector document "Planning Matrix."

Within Vector, the user is able to import accounts from the entity's trial balance using the
CaseWare® application. Once the accounts are imported into CaseWare, the user groups the
disaggregated trial balance accounts into potential significant accounts. The complete list of
potential significant accounts is then transferred into Vector where the user can associate a
specific or generic assertion level risk to the account.
(CaseWare is a registered trademark of CaseWare International, Inc.)

3.9.2 Define Relevant Assertions


We identify the assertions that are relevant for each significant account and disclosure. [3689]

Financial statement assertions are assertions by management, explicit or otherwise, that are embodied in the
financial statements, as follows: [9020.1]

• completeness

• existence and occurrence

• accuracy

• valuation

• obligations and rights

• presentation and disclosure


A relevant assertion is a financial statement assertion for a significant account or disclosure that has a reasonable
possibility of containing a misstatement or misstatements that would cause the financial statements to be
materially misstated. The determination of whether an assertion is a relevant assertion is based on inherent risk,
without regard to the effect of controls. [9216.1]

3.9.3 Determine Audit Objectives

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
An audit objective is an objective defined by us for the purpose of efficient gathering of audit evidence about
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
related financial statement assertions. We determine which relevant assertions related to which significant
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
accounts or disclosures are combined into which audit objectives.
Page 50 / 133
For example, an audit objective may be to obtain audit evidence about the completeness and accuracy of sales. In
without regard to the effect of controls. [9216.1]

3.9.3 Determine Audit Objectives


International Audit Workbook (Interntional Audit Workbook)

An audit objective is an objective defined by us for the purpose of efficient gathering of audit evidence about
related financial statement assertions. We determine which relevant assertions related to which significant
accounts or disclosures are combined into which audit objectives.
For example, an audit objective may be to obtain audit evidence about the completeness and accuracy of sales. In
this example, the audit objective relates to two assertions because the available audit procedures typically provide
audit evidence about both. [9033]

We combine assertions and related significant accounts or disclosures to determine audit objectives. [3695]
For classes of transactions, we ordinarily combine the related balance sheet and income statement accounts and the related
assertions into one audit objective. [3701]
For other account balances, we may combine more than one assertion into one audit objective and we may also combine
several significant accounts and related assertions into one audit objective. For example, an audit objective may be
"existence of inventories" or "completeness, accuracy, and existence of revenue and accounts receivable."[3702]

Audit objectives drive the structure of the Audit Program. It is important that we have grouped
the appropriate significant accounts and assertions into the appropriate audit objectives to
facilitate an effective and efficient audit approach in Control Evaluation and Substantive Testing.

3.9.4 Assessing Inherent Risk of Error


We assess the inherent risk due to error for each audit objective and not for each individual inherent risk identified. Any risk
of fraud associated with the audit objective is addressed separately and is not considered in our assessment of the inherent
risk due to error. [3724]
In assessing the inherent risk due to error for audit objectives, we use the following categories: [3723]

• Significant (S)

• Moderate (M)

• Low (L).

When assessing the inherent risk of error, we consider the specific risks we have identified
during our risk assessment procedures that may influence our inherent risk assessment. For
example, if we:

• have identified a specific risk, it is unlikely that the assessment for


inherent risk will be low

• have not identified a specific risk, it is unlikely that the assessment for
inherent risk will be significant

• are considering assessing inherent risk as significant, but have not


identified a specific risk, we consider whether our risk assessment is
complete (e.g., is there an inherent risk present that we have not yet
identified?

Examples of specific risks that may be identified are as follows: [3668]

• The entity has recently entered into new markets in XXX and, in order to penetrate these
markets, has begun using customer-specific contracts, rather than the entity's standard contract
used in the domestic market.

• Days sales outstanding for trade receivables in XXX market are 93 days vs. 61 days for the
entity's other trade receivables. The sales manager for the region has indicated that collection is
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
often delayed because the customer is slow in accepting the customer-specific modifications that
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
have been made to the product.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

• As a response to declining domestic markets, the entity changed its return policies during year X2 Page 51 / 133
in order to gain customer acceptance of the new product price level. The new policies are not
• The entity has recently entered into new markets in XXX and, in order to penetrate these
markets, has begun using customer-specific contracts, rather than the entity's standard contract
used in the domestic market. International Audit Workbook (Interntional Audit Workbook)

• Days sales outstanding for trade receivables in XXX market are 93 days vs. 61 days for the
entity's other trade receivables. The sales manager for the region has indicated that collection is
often delayed because the customer is slow in accepting the customer-specific modifications that
have been made to the product.

• As a response to declining domestic markets, the entity changed its return policies during year X2
in order to gain customer acceptance of the new product price level. The new policies are not
used consistently in all sales regions and might be misapplied by individual regions in order to
raise sales.

• The entity's practice of bill and hold transactions provides management with an opportunity to
collude with customers, falsify documents, and intentionally misapply facts and circumstances in
complying with the entity's revenue recognition policy related to such transactions.

• In year X0, the entity tried to expand by investing in a business segment. In year X1, the business
segment is following the market trend of decreasing volume. Sales numbers as of the underlying
business plan of the acquisition are not reached for the second consecutive year.

3.9.5 Define Audit Objectives Associated with a Significant Risk

Significant risks are those risks that, in our judgment, require special audit consideration. [9244]
Significant risks often relate to significant nonroutine transactions and judgmental matters. Nonroutine
transactions are transactions that are unusual due to either size or nature, and that therefore occur infrequently.
Judgmental matters may include the development of accounting estimates for which there is significant
measurement uncertainty. [3734]
Audit objectives associated with significant risks and our response thereto benefit from the judgments of the most
experienced members of the engagement team. The engagement partner is responsible for providing overall
direction for the audit approach to audit objectives associated with significant risks and reviews audit working
papers relating to audit objectives associated with significant risks. [9034]

Special audit consideration may consist of the following: [9246.1]

• evaluation of the design and implementation of assertion level controls relevant to the
identified risks

• a combination of test of operating effectiveness of controls and substantive procedures


that are specifically responsive to an identified inherent risk

• audit procedures of the same type for the same assertion to obtain sufficient appropriate
audit evidence over the assertion, and/or

• a combination of audit evidence derived from internal and external sources.


Nonroutine transactions are transactions not in the ordinary course of business or infrequent in occurrence.
Management intervention may be required for such transactions to be processed. [9184]

There are usually some audit objectives that carry a greater inherent risk of error or fraud, that involve considerable
judgment, and/or for which it is difficult to obtain audit evidence. [3728]

We define an "audit objective associated with a significant risk" as an audit objective associated with a significant
account or disclosure for which a significant inherent risk of error or risk of fraud has been identified. [3730]

In considering the nature of the risks, we consider a number of matters, including the following: [3733]

• whether the risk is a risk of fraud

• whether the risk is related to recent significant economic, accounting, or other developments
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
and, therefore, requires specific attention
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• the complexity of transactions
Page 52 / 133
• whether the risk involves significant transactions with related parties
account or disclosure for which a significant inherent risk of error or risk of fraud has been identified. [3730]

In considering the nature of the risks, we consider a number of matters, including the following: [3733]
International Audit Workbook (Interntional Audit Workbook)
• whether the risk is a risk of fraud

• whether the risk is related to recent significant economic, accounting, or other developments
and, therefore, requires specific attention

• the complexity of transactions

• whether the risk involves significant transactions with related parties

• the degree of subjectivity in the measurement of financial information related to the risk,
especially those involving a wide range of measurement uncertainty, and

• whether the risk involves significant transactions that are outside the normal course of business
for the entity, or that otherwise appear to be unusual.

Audit objectives associated with significant risks include all audit objectives where the inherent

! risk assessment for error is "significant" or where a risk of fraud has been identified for the audit
objective. [3748]

Association of a significant risk with an audit objective affects our audit in several ways,
including:

• a controls approach will be taken for the audit objective

• when we test the operating effectiveness of automated controls, we


perform these tests every year; audit evidence gained in prior periods is
not sufficient

• our audit approach and findings are summarized in the Completion


Document

• the engagement partner and manager are required to review related


audit documentation

• the engagement quality control reviewer is notified of changes to audit


documentation after the date of the auditor's report.

3.9.6 Our General Approach


In designing the audit procedures we include in the Audit Program, we consider matters such as the following: [3753]

• the significance of the risk of significant misstatement

• the likelihood that a significant misstatement will occur

• the characteristics of the class of transactions, account balance derived from an estimate, other
account balance, or disclosure involved

• the nature of the specific controls used by the entity and in particular whether they are manual or
automated, and

• whether we expect to obtain audit evidence to determine if the entity's controls are effective in
preventing, or detecting and correcting, material misstatements.

In the KPMG audit, "controls approach" and "substantive approach" have the following meaning within the context
of an audit objective: [3755.0.1]

• we take a controls approach for an audit objective when we evaluate the design and
implementation of relevant controls
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• we take a substantive approach for an audit objective when we do not evaluate the
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
design and implementation of relevant controls and do not test the operating
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
effectiveness of controls.
Page 53 / 133
In the KPMG audit, "controls approach" and "substantive approach" have the following meaning within the context
of an audit objective: [3755.0.1]
International Audit Workbook (Interntional Audit Workbook)
• we take a controls approach for an audit objective when we evaluate the design and
implementation of relevant controls

• we take a substantive approach for an audit objective when we do not evaluate the
design and implementation of relevant controls and do not test the operating
effectiveness of controls.

In all of the above situations, we perform substantive procedures. [3755.0.2]

In the KPMG audit, for each audit objective, we document in the Planning Matrix whether we will:

• take a "controls approach" or a "substantive approach," and

• audit the audit objective as a "class of transaction," an


"estimate/disclosure" or an "other account balance."
These decisions are very important because they define the form of the Audit Program that we
will use for each audit objective.

We determine whether we take a "controls approach" or a "substantive approach" for each audit
objective, not for the audit as a whole.
We cannot adopt a substantive approach for audit objectives associated with a significant risk.

In determining our audit approach for audit objectives, we evaluate controls at the assertion level as follows: [3757]

• for all audit objectives, we understand and document the accounting activities with respect to the
underlying financial information

• for audit objectives for which we have identified a risk of fraud as a result of our risk assessment
procedures, we determine whether management has implemented controls to prevent and detect
such fraud and we evaluate the design and implementation of antifraud controls relevant to the
identified fraud risk

• for audit objectives associated with significant risks of error, we evaluate the design and
implementation of controls relevant to the identified risk, and

• for audit objectives where we plan to rely on controls to alter the nature, timing, or extent of our
substantive audit procedures, we evaluate the design and implementation and test the operating
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
effectiveness of relevant controls.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

When determining our general approach, we consider the volume of transactions recorded in Page 54 / 133
balances for related significant accounts. The greater the volume of transactions the more likely
• for audit objectives associated with significant risks of error, we evaluate the design and
implementation of controls relevant to the identified risk, and
International Audit Workbook (Interntional Audit Workbook)
• for audit objectives where we plan to rely on controls to alter the nature, timing, or extent of our
substantive audit procedures, we evaluate the design and implementation and test the operating
effectiveness of relevant controls.

When determining our general approach, we consider the volume of transactions recorded in
balances for related significant accounts. The greater the volume of transactions the more likely
that we will take a controls approach, as it is difficult to gain sufficient, appropriate audit
evidence regarding transactions recorded in the related significant accounts without testing the
operating effectiveness of controls.

We should plan to rely on controls when it is: [3757]

• more efficient, or

• not possible or practical to obtain sufficient appropriate audit evidence only from substantive
audit procedures in order to reduce audit risk to an acceptably low level.
The following decision tree shows how we evaluate controls and determine further audit procedures for audit objectives not
associated with a significant risk. [3758]

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 55 / 133
International Audit Workbook (Interntional Audit Workbook)

For all audit objectives associated with a significant risk (of fraud or error), we evaluate the

! design and implementation of selected controls.

We determine and document our planned audit approach for each audit objective in the Planning
Matrix.
The Planning Matrix documents the following steps that we perform in developing our planned
audit approach:

• disaggregate financial statement captions into significant accounts and


disclosures, which may themselves include several account balances

• map the specific inherent risks identified from our risk assessment
procedures to significant accounts and related assertions

• identify other assertions for each significant account for which we need to
obtain audit evidence

• consider whether a risk is specifically related to fraud

• develop audit objectives (e.g., group assertions for one or more


significant accounts affected by the same risks and which we are likely to
audit using the same audit procedures. These accounts are likely to be
related to the same classes of transactions.)

• link audit objectives to the relevant Audit Programs

• assess the inherent risk related to each audit objective as


"significant" (e.g., whether they require special audit consideration),
"moderate," or "low," and

• determine our planned audit approach (e.g., "controls approach" or


"substantive approach" and whether we will address the audit objective
as "class of transaction," "estimate/disclosure," or an "account balance."
In addition, we decide whether we plan to test the operating effectiveness
of controls and perform substantive analytical procedures and tests of
details.)

An example Planning Matrix is shown below:

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 56 / 133
International Audit Workbook (Interntional Audit Workbook)

3.9.7 Nature, Timing, and Extent of Further Audit Procedures

Nature
The nature of further audit procedures refers to: [3767]

• their purpose (tests of control or substantive procedures, including tests of details, and
substantive analytical procedures)

• their type (inspection, observation, inquiry, confirmation, recalculation, reperformance, or


analytical procedures).
Certain audit procedures may be more appropriate for some assertions than others. For example, in relation to revenue,
tests of controls may be most responsive to the assessed risk of misstatement of the completeness assertion, whereas
substantive procedures may be most responsive to the assessed risk of misstatement of the existence and occurrence
assertion [3768].
Our selection of audit procedures is based on the assessment of risk. The higher our assessment of risk, the more reliable
and relevant is the audit evidence sought by us from substantive procedures. This may affect both the types of audit
procedures to be performed and their combination. For example, we may confirm the completeness of the terms of a
contract with a third party, in addition to inspecting the document. [3769]

Timing
Timing refers to when we perform audit procedures or to the period or date to which the audit evidence applies. [3781]
We may perform tests of control or substantive procedures at an interim date or at period-end. The higher the risk of
significant misstatement, the more likely it is that we may decide it is more effective to perform substantive procedures
nearer to, or at, the period-end rather than at an earlier date and, if we have identified a risk of fraud related to the
relevant assertions, to perform audit procedures unannounced or at unpredictable times. [3782]
For example, performing audit procedures at selected locations on an unannounced basis.

Extent
The extent of further audit procedures includes the quantity of a specific audit procedure to be performed. [3788]
For example, a sample size or the number of observations of a control activity.
In particular, we ordinarily increase the extent of audit procedures as the risk of significant misstatement increases.
However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific
risk; therefore, the nature of the audit procedure is the most important consideration. [3790]

3.9.8 Other Considerations


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
Incorporation of an Individuals within the entity who are familiar with the audit procedures ordinarily
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
element of unpredictability performed on the audit may be better able to conceal fraudulent financial reporting.
Therefore, we ordinarily incorporate an element of unpredictability in the selection of Page 57 / 133
the nature, extent, and timing of auditing procedures to be performed. [3795]
However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific
risk; therefore, the nature of the audit procedure is the most important consideration. [3790]
International Audit Workbook (Interntional Audit Workbook)
3.9.8 Other Considerations

Incorporation of an Individuals within the entity who are familiar with the audit procedures ordinarily
element of unpredictability performed on the audit may be better able to conceal fraudulent financial reporting.
Therefore, we ordinarily incorporate an element of unpredictability in the selection of
the nature, extent, and timing of auditing procedures to be performed. [3795]
Incorporating an element of unpredictability may include: [3797]

• selecting account balances and assertions not otherwise tested


due to their materiality or presumed low risk

• adjusting the timing of the audit procedure from when it is


ordinarily expected to be undertaken

• using different sampling methods

• performing audit procedures at locations not previously visited


or on an unannounced basis.

Use of CAATs Using CAATs to perform audit procedures may enhance the effectiveness of the audit
process by facilitating faster and more extensive review and analysis of large data
populations. CAATs may provide the ability to analyze complete populations of data;
to easily profile, extract, and summarize items based on specific characteristics; and
to apply selected KPMG preprogrammed routines. [3805]
CAATs procedures often require adequate planning to determine the appropriate
level of skills to execute and use the results of CAATs. They may also require an
appropriate level of understanding of the KPMG Routines, a standard functionality of
the application used to perform CAATs, and the entity's computer-based information
systems and data. Accordingly, in Planning we identify those significant accounts or
disclosures and the related audit objectives where we plan to perform CAATs. [3807]

Journal entries To respond to the risk of management override of controls, we design and perform
audit procedures to test the appropriateness of journal entries recorded in the
general ledger and other adjustments made in the preparation of financial
statements. [7350]
Audit objectives 3 and 5 and Appendix II of the Financial Reporting Audit Program
provide audit procedures and guidance regarding our approach to journal entries.

IDEA® CAATs can help make an audit more effective. CAATs can often be performed without
the involvement of IRM specialists.

3.10. Changes to Our Audit Strategy or Planned Audit Approach


As a result of unexpected events, changes in conditions, or the audit evidence obtained from the results of audit procedures,
we may need to modify the overall audit strategy and audit plan, and thereby the resulting planned nature, timing, and
extent of further audit procedures. [3815]
In such circumstances, we reevaluate the planned audit procedures based on the revised consideration of assessed risks at
the assertion level for all or some of the significant accounts or disclosures. [3816]
If our overall audit strategy or planned audit procedures change significantly based on the revised consideration of assessed
risks at the assertion level for all or some of the audit objectives, the related significant modifications of our audit strategy
and planned audit approach are reflected in the Audit Programs and documented in the Completion Document. [3819]
The engagement partner determines whether the changes to the overall audit strategy or to planned audit procedures are
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
such that revisions to the results and/or conclusions of Planning as a whole or only to certain audit areas are indicated. In
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
case of revisions to the overall approach to our audit, the Planning Document is revised, the appropriate engagement team
members review and sign the revised Planning Document, and the original and revised versions of the Planning Document Page 58 / 133
are retained as part of our audit files. When only certain audit areas are affected, the engagement partner may determine
the assertion level for all or some of the significant accounts or disclosures. [3816]
If our overall audit strategy or planned audit procedures change significantly based on the revised consideration of assessed
risks at the assertion level for all or someInternational
of the auditAuditobjectives, the related
Workbook (Interntional significant
Audit Workbook) modifications of our audit strategy
and planned audit approach are reflected in the Audit Programs and documented in the Completion Document. [3819]
The engagement partner determines whether the changes to the overall audit strategy or to planned audit procedures are
such that revisions to the results and/or conclusions of Planning as a whole or only to certain audit areas are indicated. In
case of revisions to the overall approach to our audit, the Planning Document is revised, the appropriate engagement team
members review and sign the revised Planning Document, and the original and revised versions of the Planning Document
are retained as part of our audit files. When only certain audit areas are affected, the engagement partner may determine
to document the change to the audit strategy or to the planned audit procedures in the Completion Document instead of
revising the Planning Document. The engagement team documents only those changes that are significant to the audit.
[3820]

If during Control Evaluation or Substantive Testing an additional financial statement or assertion


level risk is identified or if we reassess the significance of a risk that was identified during
Planning, we document in the Completion Document the modification to our audit strategy and/or
planned audit procedures, including the rationale and resolution of the issue that caused the
change. In addition, when applicable, we also modify the Audit Program.
Interntional Audit Workbook

Chapter 4 - Control Evaluation


The objective of Control Evaluation is to gain an understanding of the entity's accounting activities and to evaluate controls
so that we can assess the risk of significant misstatement for each audit objective and plan our substantive procedures.
[4002]

Internal control is the process designed and affected by those charged with governance, management, and other
personnel to provide reasonable assurance about the achievement of the entity's objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws
and regulations. [9141]
Internal control consists of the following components: [9142]

• the control environment

• the entity's risk assessment process

• the information system, including the related business processes, relevant to financial
reporting, and communication

• control activities, and

• monitoring of controls.

The way in which internal control is designed and implemented varies with an entity's size and complexity.
Specifically, smaller entities may use less formal means and simpler processes and procedures to achieve their
objectives.
For example, smaller entities with active management involvement in the financial reporting process may not have
extensive descriptions of accounting procedures or detailed written policies.
For some smaller entities, the owner-manager may perform functions that in a larger entity would be regarded as
belonging to several of the components of internal control. Therefore, the components of internal control may not
be clearly distinguished, but their underlying purposes are equally valid.

Control Evaluation is described in the following chart:

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 59 / 133
Control Evaluation is described in the following chart:
International Audit Workbook (Interntional Audit Workbook)

The extent of our control evaluation work varies as follows: [4003]

• in Planning we evaluate the design and implementation of entity level controls and consider the
impact of entity level controls on our audit strategy and planned audit approach [4003.1]

• for every audit objective, we obtain an understanding of, and document in the Audit Program, the
relevant accounting activities with respect to the underlying financial information [4003.2]

• for audit objectives that include relevant assertions that are associated with a risk of fraud, we
determine whether management has implemented controls to prevent and detect such fraud; we
evaluate the design and implementation of antifraud controls that are relevant to the identified
fraud risk and consider the risk of management override of such controls [4003.7]

• for audit objectives associated with a significant inherent risk of error, we evaluate the design
and implementation of selected assertion level controls [4003.8]

• for audit objectives where we plan to rely on the operating effectiveness of controls to modify the
nature, timing, and extent of our substantive procedures, we evaluate the design and
implementation and test the operating effectiveness of selected assertion level controls. [4003.9]
We plan to rely on the operating effectiveness of controls to provide audit evidence and to modify the nature, timing, and
extent of our substantive procedures where it is: [4003.9.0.1]

• more efficient to evaluate the design and implementation and test the operating effectiveness of
selected controls, or

• not possible or practical to achieve our audit objective with audit evidence obtained only from
substantive audit procedures.

4.1. Entity Level Controls


Entity level controls are internal controls that operate at the entity level rather than at the specific assertion level and
therefore generally include all components of internal control except control activities, which are considered at the assertion
level. [3028.1.1]
We consider entity level controls early in the audit process because our evaluation of these controls can result in increasing
or decreasing the testing that we would otherwise have performed on assertion level controls as well as the nature, timing,
and extent of substantive procedures. [3028.2]
Additionally, as entity level controls are likely to be pervasive to the financial statements as a whole, we obtain an
understanding of entity level controls to: [3029]

• identify risks of material misstatement in the financial statements


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• determine our audit strategy, and
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

• plan the nature, timing, and extent of our further audit procedures. Page 60 / 133
or decreasing the testing that we would otherwise have performed on assertion level controls as well as the nature, timing,
and extent of substantive procedures. [3028.2]
Additionally, as entity level controls are likely to be pervasive to the financial statements as a whole, we obtain an
International Audit Workbook (Interntional Audit Workbook)
understanding of entity level controls to: [3029]

• identify risks of material misstatement in the financial statements

• determine our audit strategy, and

• plan the nature, timing, and extent of our further audit procedures.
Obtaining an understanding of entity level controls involves evaluating the design and implementation of the individual
components of entity level controls. [3030]

In a financial statement audit we are required to evaluate the design and implementation of
entity level controls but we are not required to test their operating effectiveness. Where entity
level controls are ineffective or partially effective, this may increase our assessment of RoSM for
audit objectives and therefore, impact the nature, timing, and extent of our substantive
procedures. [4912.1]

We obtain this understanding and evaluate the design and implementation of entity level controls simultaneously with our
risk assessment procedures in Planning. [3631]

Our evaluation of entity level controls includes procedures to evaluate the design and
implementation of the entity's broad programs and controls to prevent, deter, and detect fraud.

Entity level controls consist of the following components:

Control environment The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for effective internal control,
providing discipline and structure. [4012]
In obtaining an understanding of and evaluating the design of the control
environment and determining whether appropriate controls have been implemented,
we understand how management, with the oversight of those charged with
governance, has created and maintained a culture of honesty and ethical behavior
and established appropriate controls to prevent and detect fraud and error within the
entity. [4013]
In obtaining and documenting an understanding of and evaluating the design of the
entity's control environment, we consider each of the elements identified above and
how they have been incorporated into the entity's processes. [4225]

Risk assessment process The entity's risk assessment process is management's process for identifying
business risks relevant to financial reporting and deciding how those risks should be
managed. A precondition to risk assessment is the establishment of objectives, linked
at different levels and internally consistent. [4241.1]
In obtaining an understanding of the entity's risk assessment process, we determine
how management identifies business risks relevant to financial reporting, estimates
the significance of the risks, assesses the likelihood of their occurrence, and decides
upon actions to manage them. If the entity's risk assessment process is appropriate
to the circumstances, it assists us in identifying risks of material misstatement.
[4244]
In obtaining and documenting an understanding of the entity-wide risk assessment
process, we consider whether management: [4250]

• effectively communicates entity-wide objectives and strategies

• has an ongoing risk assessment process (formal or informal)


that identifies business risks relevant to financial reporting, their
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
significance, the likelihood of their occurrence and how to
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
manage them, and adequately addresses the effects of
changing conditions on the entity
Page 61 / 133
In obtaining and documenting an understanding of the entity-wide risk assessment
process, we consider whether management: [4250]

• International communicates
effectively Audit Workbook (Interntional
entity-wide Auditobjectives
Workbook) and strategies

• has an ongoing risk assessment process (formal or informal)


that identifies business risks relevant to financial reporting, their
significance, the likelihood of their occurrence and how to
manage them, and adequately addresses the effects of
changing conditions on the entity

• ensures effective compliance with laws and regulations,


including regulatory compliance, for all laws and regulations that
have a fundamental effect on the operations of the entity

• assesses the entity's ability to continue as a going concern

• identifies and evaluates the vulnerability of the entity to


fraudulent activity and whether this could result in a material
misstatement in the financial statements

• implements controls in areas identified as a higher risk of


fraudulent activity, and

• was involved in and communicated the outcome of this process


to those charged with governance.

Information system and An information system consists of infrastructure (physical and hardware
communication components), software, people, procedures, and data. Infrastructure and software
will be absent, or have less significance, in systems that are exclusively or primarily
manual. Many information systems make extensive use of IT. [4253.2]
In obtaining and documenting an understanding of the information system relevant to
financial reporting, we consider whether management has: [4269]

• developed an information system, linked to the entity's overall


strategy, which is responsive to achieving the entity-wide and
activity-level objectives

• developed an IT strategy that supports the entity's overall


strategy with respect to the financial reporting information
systems

• controls over obtaining external and internal information to


provide management with necessary reports on the entity's
performance relative to established financial reporting
objectives, and

• an information system that encompasses methods and records


that:
- identify and record all valid transactions
- describe on a timely basis the transactions in sufficient detail
to permit proper classification of transactions for financial
reporting
- measure the value of transactions in a manner that permits
recording their proper monetary value in the financial
statements
- determine the time period in which transactions occurred to
permit recording of transactions in the proper accounting
period, and
- present properly the transactions and related disclosures in
the financial statements.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Communication involves providing an understanding of individual roles and
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
responsibilities pertaining to internal control over financial reporting. It includes the
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
extent to which personnel understand how their activities in the financial reporting
information system relate to the work of others and the means of reporting Page 62 / 133
- determine the time period in which transactions occurred to
permit recording of transactions in the proper accounting
period, and
International Audit Workbook (Interntional Audit Workbook)
- present properly the transactions and related disclosures in
the financial statements.
Communication involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting. It includes the
extent to which personnel understand how their activities in the financial reporting
information system relate to the work of others and the means of reporting
exceptions to an appropriate higher level within the entity. [4272.4]
Open communication channels help ensure that exceptions are reported and acted
on. [4272.4]
Communication takes such forms as policy manuals, accounting and financial
reporting manuals, and memoranda. Communication also can be made electronically,
orally, and through the actions of management. [4272.5]

Monitoring Monitoring of controls is a process to assess the effectiveness of internal control


performance over time. It involves assessing the design and operation of controls on
a timely basis and taking necessary corrective actions modified for changes in
conditions. Management accomplishes monitoring of controls through ongoing
activities (e.g., internal audit programs), separate evaluations, or a combination of
the two. Ongoing monitoring activities are often built into the normal recurring
activities of an entity and may include regular management and supervisory activities.
[4023.1]
In obtaining and documenting an understanding of the monitoring activities, we
consider whether: [4284]

• management monitors the results of the operations of the


business units against objectives and expected results, including
budgets and forecasts

• management ensures the effectiveness of:


- any self-assessment processes or periodic systems
evaluations used
- internal audit activities (including IT internal audit)
- monitoring controls performed at centralized processing
locations, including shared service centers, and
- monitoring of computer operations

• management performs comparisons of amounts recorded in the


accounting system with physical assets

• management monitors the effectiveness of internal controls over


financial reporting and initiates corrective actions to its controls

• management considers the reliability of information related to


the entity's monitoring activities

• management has policies and procedures for identifying,


evaluating, and accounting for litigation and claims, and

• internal audit activity (where applicable) is adequate, including


IT internal audit, and whether the head of internal audit reports
directly to those charged with governance.

The control environment includes the governance and management functions and the attitudes, awareness, and
actions of those charged with governance and management concerning the entity's internal control and its
importance to the entity. The control environment is a component of internal control. It includes an entity's:
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
[9062]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• communication and enforcement of integrity and ethical values
Page 63 / 133
• commitment to competence
directly to those charged with governance.

International Audit Workbook (Interntional Audit Workbook)


The control environment includes the governance and management functions and the attitudes, awareness, and
actions of those charged with governance and management concerning the entity's internal control and its
importance to the entity. The control environment is a component of internal control. It includes an entity's:
[9062]

• communication and enforcement of integrity and ethical values

• commitment to competence

• participation by those charged with governance

• assignment of authority and responsibility

• management's philosophy and operating style

• organizational structure, and

• human resources policies and practices.

For an SE or VSE engagement, we consider the following:

•  Audit evidence for elements of the control environment may not be available in
documentary form, in particular for smaller entities where communication between
management and other personnel may be informal, yet effective. For example,
management's commitment to ethical values and competence are often implemented
through the behavior and attitude they demonstrate in managing the entity's business
instead of in a written code of conduct. Consequently, management's attitudes,
awareness, and actions are of particular importance in the design of a smaller entity's
control environment.

•  The role of those charged with governance is often undertaken by the owner-manager
where there are no other owners.

•  Smaller entities may implement the control environment elements differently than larger
entities do. For example, smaller entities might not have a written code of conduct, but
instead develop a culture that emphasizes the importance of integrity and ethical
behavior through oral communication and by management example.

•  Through the visibility and direct involvement of senior management, the commitment to
integrity and ethical values can be communicated verbally in staff meetings and one-on-
one meetings.

•  The nature of an entity's control environment is such that it has a pervasive effect on
assessing the risks of material misstatement. For example, owner/manager controls
may mitigate a lack of segregation of duties in a small business.

•  A smaller entity may not have formalized human resources policies. Policies and
practices nevertheless may exist and be communicated by senior management to the
staff. Expectations about the type of person to be hired can be verbally communicated
and several, if not all levels, of senior management may typically be involved in the
recruiting process. Formal documentation is not always necessary for a policy or control
to be in place and operating effectively.

•  The basic concepts of the entity's risk assessment process are relevant to every entity,
regardless of size, but the risk assessment process is likely to be less formal and less
structured in smaller entities than in larger ones.

•  All entities should have established financial reporting objectives, but they may be
recognized implicitly rather than explicitly in smaller entities. Management may be aware
of risks related to these objectives without the use of a formal process but through direct
personal involvement with employees and outside parties.

•  For smaller entities, we discuss with management how risks to the business are
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
identified by management and how they are addressed.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
•  Information systems and related business processes relevant to financial reporting in
smaller entities are likely to be less formal than in larger entities, but their role is just as Page 64 / 133
significant. Smaller entities with active management involvement may not need extensive
•  All entities should have established financial reporting objectives, but they may be
recognized implicitly rather than explicitly in smaller entities. Management may be aware
of risks related to these objectives without the use of a formal process but through direct
International Audit Workbook (Interntional Audit Workbook)
personal involvement with employees and outside parties.

•  For smaller entities, we discuss with management how risks to the business are
identified by management and how they are addressed.

•  Information systems and related business processes relevant to financial reporting in


smaller entities are likely to be less formal than in larger entities, but their role is just as
significant. Smaller entities with active management involvement may not need extensive
descriptions of accounting procedures, sophisticated accounting records, or written
policies.

•  Ongoing monitoring activities of smaller entities are more likely to be informal and are
typically performed as a part of the overall management of the entity's operations.
Management's close involvement in operations often will identify significant variances
from expectations and inaccuracies in financial data leading to corrective action to the
control.

•  A smaller entity's management may have a more "hands-on" involvement in most areas
of the entity's operations. For example, frequent visits to the factory floor, assembly
area, or warehouse and comparing physical inventory with amounts reported by the data
processing system are all monitoring controls of a smaller entity.

•  A smaller entity is less likely to undergo separate evaluations of the internal control
systems; however, a "hands-on" approach involving ongoing monitoring by senior
management may be just as effective. Also, a smaller entity may give accounting
personnel the responsibility to evaluate controls of certain operations.

4.1.1 Evaluate the Design and Implementation of Entity Level Controls

Evaluating the design of a control involves considering whether the control, individually or in combination with
other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.
[9099.0.1]
Implementation of a control means that the control exists and that the entity is using it. [4440]

Audit procedures performed to gain an understanding about the design and implementation of relevant controls may include
inquiring of entity personnel, observing the application of specific controls, and inspecting documents and reports. [4210]
Inquiry alone is not sufficient to evaluate the design of a control relevant to an audit and to determine whether it has been
implemented. We usually perform a combination of inquiry and other techniques to obtain sufficient appropriate audit
evidence to support a conclusion about the design of a control. We focus on combinations of controls, in addition to specific
controls in isolation, when assessing whether the objectives of the control criteria have been achieved. We also consider the
audit evidence obtained from our previous experience with the entity. [4211]

4.1.2 Prior Period Material Weaknesses and Other Deficiencies in Internal Control over
Financial Reporting
Based on the actions taken by management with respect to material weaknesses and other deficiencies in internal control
over financial reporting that had a significant impact on our audit approach and that were reported in the prior period, we
assess the control consciousness of management. We also document any continuing control deficiencies noted and
communicate them appropriately. [4216]

4.1.3 Effect of Entity Level Controls on Our Audit


Entity level controls often have a pervasive impact on control activities over classes of transactions, account balances
derived from estimates, other account balances, and disclosures and therefore on our assessment of the risk of significant
misstatement. Our understanding and evaluation of the design and implementation of entity level controls includes
considering whether the control environment provides an appropriate foundation for the other components of internal
control. The nature of the risks arising from a weak control environment is such that they are not likely to be confined to
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
specific individual risks of material misstatement in particular classes of transactions, account balances derived from
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
estimates, other account balances, and disclosures. Rather, weaknesses such as management's lack of competence may
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
have a more pervasive effect on the financial statements and may, where appropriate, require an overall response by us.
[4203] Page 65 / 133
Entity level controls often have a pervasive impact on control activities over classes of transactions, account balances
derived from estimates, other account balances, and disclosures and therefore on our assessment of the risk of significant
misstatement. Our understanding and evaluation
InternationalofAudit
the Workbook
design and implementation
(Interntional of entity level controls includes
Audit Workbook)
considering whether the control environment provides an appropriate foundation for the other components of internal
control. The nature of the risks arising from a weak control environment is such that they are not likely to be confined to
specific individual risks of material misstatement in particular classes of transactions, account balances derived from
estimates, other account balances, and disclosures. Rather, weaknesses such as management's lack of competence may
have a more pervasive effect on the financial statements and may, where appropriate, require an overall response by us.
[4203]
We conclude as to whether the design and implementation of the control environment, entity-wide risk assessment process,
information systems relevant to financial reporting, and monitoring of controls are effective. Our conclusion may impact the
audit approach to specific audit objectives. [4218]
We evaluate the design and implementation of individual entity level controls as either effective or ineffective; we then make
an overall assessment for each component of entity level controls as follows:

Evaluation of entity Effect of entity level controls on our planned audit approach
level controls

Effective - appropriately We may expect to find controls at the assertion level to also be effective and, thus,
designed and implemented we may plan our audit approach for selected audit objectives to include tests of the
operating effectiveness of controls. [3632]

Partially effective - We consider the effect of such deficiencies in determining our audit approach at the
appropriately designed and assertion level. [3632.1]
implemented, but with a
limited number of identified
deficiencies

Ineffective - not It is less likely that controls at the assertion level are appropriately designed,
appropriately designed or implemented, and operating effectively; therefore, we would apply our audit
implemented approach with an emphasis on substantive procedures. [3632.2]

It would be unlikely that weak entity level controls would render all assertion level controls unreliable, other than
in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify
relevant controls and consider how the controls are impacted by the weaknesses in entity level controls.

Based on our understanding and the evaluation of the effectiveness of entity level controls in

! each of the sections in the Entity Level Controls Program, we document the implications on our
audit in the Planning Document. For example, if we determine: [4208]

• controls relating to integrity and ethical values to be ineffective, we may


be unable to rely on management representations

• internal audit to be ineffective or not independent from those charged


with governance, we may not be able to use their work or use them in a
direct assist capacity on the engagement.

For an SE engagement, entity level controls are documented in the SE Planning Document.

4.2. Accounting Activities at the Assertion Level

Accounting activities is a term to describe the information system, including the related business processes
relevant to financial reporting, which includes the following: [9008]

• the procedures, within both IT and manual systems, by which those transactions are
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
initiated, authorized, recorded, processed, and reported in the financial statements
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• the related accounting records, whether electronic or manual, supporting information,
and specific accounts in the financial statements with respect to initiating, recording, Page 66 / 133
Accounting activities is a term to describe the information
International system,
Audit Workbook including
(Interntional Auditthe related business processes
Workbook)
relevant to financial reporting, which includes the following: [9008]

• the procedures, within both IT and manual systems, by which those transactions are
initiated, authorized, recorded, processed, and reported in the financial statements

• the related accounting records, whether electronic or manual, supporting information,


and specific accounts in the financial statements with respect to initiating, recording,
processing, and reporting transactions

• how the information system captures events and conditions, other than classes of
transactions, that are significant to the financial statements

• the financial reporting process used to prepare the entity's financial statements,
including significant accounting estimates and disclosures.
We refer to the areas listed above as accounting activities, or the information system. [4302.1]

We should obtain an understanding of the information systems, including the related business processes, relevant to
financial reporting. [4302]
The information system relevant to financial reporting objectives includes the accounting system. It consists of the
procedures and records established to: [4302.2]

• initiate, authorize, record, process, and report entity transactions (as well as events and
conditions), and

• maintain accountability for the related assets, liabilities, and equity.


We organize our procedures by audit objectives. For every audit objective, we obtain an understanding of, and document
the relevant accounting activities with respect to, the underlying financial information. The nature of the activities to be
documented will depend on whether the significant account(s) being addressed in the audit objective is being audited as:
[4303]

• a class of transaction

• an account balance derived from an estimate

• an "other" account balance (not derived from an estimate), or

• a disclosure.

Classes of transactions For classes of transactions, we obtain an understanding of accounting activities for
the purpose of identifying points in the activity that introduce risk (significant risk
points). [4039]
Significant risk points are points where there is a reasonable possibility that a
misstatement, including a misstatement due to fraud, could occur that, individually or
in combination with other misstatements, would exceed the significant misstatement
threshold.[4039]
We identify significant risk points by answering the question: "What could go wrong
and where in the process could an error occur?" [4039]
Our primary concerns usually relate to determining that all transactions are properly
captured and authorized, and that the system can process high volumes of
transactions consistently and accurately. [4333]

Account balances derived Estimates involve judgments, and we are concerned with how management goes
from an estimate about identifying the estimates that need to be made, and the quality of the
judgments inherent in the estimates. [4345]
For account balances derived from estimates, the risk points are likely to be the
specific aspects considered in understanding the accounting activities; therefore, it is
unnecessary to consider risk points in understanding and documenting activities
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
related to account balances derived from estimates. [4040]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Usually, the greater the degree of uncertainty surrounding an identified business risk,
the greater the risk of significant misstatement in the financial statements due to the Page 67 / 133
accounting estimate. This is because management may find it more difficult to
Account balances derived Estimates involve judgments, and we are concerned with how management goes
from an estimate about identifying the estimates that need to be made, and the quality of the
judgments inherent in the estimates. [4345]
International Audit Workbook (Interntional Audit Workbook)
For account balances derived from estimates, the risk points are likely to be the
specific aspects considered in understanding the accounting activities; therefore, it is
unnecessary to consider risk points in understanding and documenting activities
related to account balances derived from estimates. [4040]
Usually, the greater the degree of uncertainty surrounding an identified business risk,
the greater the risk of significant misstatement in the financial statements due to the
accounting estimate. This is because management may find it more difficult to
establish effective controls to prevent, or to detect and correct, a significant
misstatement where there is a higher degree of uncertainty. [4346.4]
When obtaining an understanding of relevant accounting activities related to account
balances derived from estimates, we consider:[4346]/[4346.1]

• the underlying business risks

• the preparation of the estimate

• quality of information used

• assumptions on which the estimate is based

• qualifications and competence of the preparer, relative to the


complexity, and

• historical accuracy of the estimate.

"Other" account balances Our understanding and documentation of accounting activities for those other
significant account balances, where we are not testing the related classes of
transactions, covers the activities over ensuring that the period-end account balance
is not significantly misstated, as well as any controls identified related to these
activities. [4368]

Disclosures When obtaining an understanding of relevant accounting activities and controls


related to disclosures, we consider: [4370]

• the preparation of the disclosure

• the quality of information used

• the assumptions on which the disclosure is based, and

• the qualifications, competence, and objectivity of the preparer of


the disclosure.
For disclosures, the risk points are likely to be the specific aspects considered in
understanding the accounting activities. [4370.1]

The Audit Program has separate sections to document accounting activities and controls. The
section used depends on whether a controls approach or substantive approach will be used and
whether the audit objective addresses one or more classes of transactions, an account balance
derived from an estimate, an other account balance, or a disclosure. Each section includes our
specific considerations for that approach.

For SE and VSE engagements, the boxes in the Audit Program for documentation of accounting activities have
been combined for consideration and documentation.

4.3. Controls at the Assertion Level


Assertion level controls include control activities, the entity's risk assessment process relevant to assertions, and the
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
monitoring of controls applied at the assertion level. [4033.1.1]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
When we follow a controls approach, we document selected controls and evaluate their design and implementation. Where
Page 68 / 133
we plan to rely on controls to alter the nature, timing, or extent of our substantive procedures, we also test their operating
been combined for consideration and documentation.

4.3. Controls at the Assertion Level


International Audit Workbook (Interntional Audit Workbook)

Assertion level controls include control activities, the entity's risk assessment process relevant to assertions, and the
monitoring of controls applied at the assertion level. [4033.1.1]
When we follow a controls approach, we document selected controls and evaluate their design and implementation. Where
we plan to rely on controls to alter the nature, timing, or extent of our substantive procedures, we also test their operating
effectiveness. We plan to rely on controls when it is: [3757]

• more efficient, or

• not possible or practical to obtain sufficient appropriate audit evidence only from substantive
audit procedures in order to reduce audit risk to an acceptably low level.

4.3.1 Control Activities

Control activities are a component of internal control. They are the policies and procedures that help ensure that
management's directives are carried out. For example, that necessary actions are taken to address risks that
threaten the achievement of the entity's objectives. [4406]

We consider whether, and how, a specific control activity, individually or in combination with others, prevents, or detects
and corrects, material misstatements in classes of transactions, account balances derived from estimates, other account
balances, or disclosures. [4046]

We need to distinguish between accounting activities and control activities where we plan to
obtain audit evidence through tests of operating effectiveness of the relevant assertion level
controls. Testing an accounting activity rather than a control will not provide the necessary audit
evidence.
Examples of control activities include approvals, authorizations, verifications, reconciliations,
reviews of operating performance, security of assets, segregation of duties, and information
processing activities such as exception/edit reports, system configuration/account mapping
controls, and interface/conversion controls.

Our emphasis is on identifying and obtaining an understanding of control activities that address the points where we
consider that material misstatements are more likely to occur. For classes of transactions, these are the significant risk
points that we identified when documenting our understanding of the accounting activities. For a class of transactions, we
generally seek to identify those controls that cover more than one significant risk point. For account balances derived from
estimates or for disclosures, these are the specific aspects considered in understanding the accounting activities that we
have documented. [4046.1]/[4047]
When multiple control activities achieve the same control objective, it may not be necessary to obtain an understanding of
each of the control activities related to such objective. [4047]
Examples of specific control activities include those relating to:

Segregation of duties Assigning different people the responsibilities of authorizing transactions, recording
[4614] transactions, and maintaining custody of assets is intended to reduce the
opportunities to allow any person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of the person's duties. [4615]

Performance reviews These control activities include reviews and analyses of actual performance versus
[4620] budgets, forecasts, prior period performance, or other key performance indicators;
relating different sets of data-operating or financial-to one another, together with
analyses of the relationships and investigative and corrective actions; comparing
internal data with external sources of information; and management review of
functional or activity performance, such as a bank's consumer loan manager's review
of reports by branch, region, and loan type for loan approvals and collections. [4621]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
Information processing A variety of controls that are performed to confirm the accuracy, completeness, and
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
[4613.65] authorization of transactions. The two broad groupings of control activities relating to
information systems are application controls and IT general controls. Examples of Page 69 / 133
application controls include exception/edit reports, system configuration/account
relating different sets of data-operating or financial-to one another, together with
analyses of the relationships and investigative and corrective actions; comparing
internal data with external
International sources(Interntional
Audit Workbook of information; and management review of
Audit Workbook)
functional or activity performance, such as a bank's consumer loan manager's review
of reports by branch, region, and loan type for loan approvals and collections. [4621]

Information processing A variety of controls that are performed to confirm the accuracy, completeness, and
[4613.65] authorization of transactions. The two broad groupings of control activities relating to
information systems are application controls and IT general controls. Examples of
application controls include exception/edit reports, system configuration/account
mapping controls, interface/conversion controls, and system access. [4613.66]
When evaluating the design and implementation and testing the operating
effectiveness of controls, we identify and focus our evaluation and testing on the
application control(s) that manage relevant risks rather than evaluating and testing
all of the entity's application controls within a particular process. [4613.68.1]
Application controls have a strong relationship with IT general controls and are
audited in conjunction with those IT general controls. [4613.68.2]

Physical controls [4661] These activities encompass the physical security of assets, including adequate
safeguards such as secured facilities over access to assets and records; access to
computer programs and data files; and periodic counting and comparison
(reconciliation) with amounts shown on control records. [4662]
The extent to which physical controls intended to prevent theft of assets are relevant
to the reliability of financial statement preparation, and therefore the audit, depends
on circumstances such as when assets are highly susceptible to misappropriation.
[4664]

The concepts underlying control activities in smaller entities are likely to be similar to those in larger entities, but
the formality with which they operate varies. Further, smaller entities may find that certain types of control
activities are not relevant because of controls applied by management.
For example, management's retention of authority for approving credit sales, significant purchases, and draw-
downs on lines of credit can provide strong control over those activities, lessening or removing the need for more
detailed control activities.
Smaller entities often have fewer employees, which may limit the extent to which segregation of duties is
practicable. However, for key areas, even in a very small entity, it can be practicable to implement some degree
of segregation of duties or other form of unsophisticated but effective controls. The potential for override of
controls by the owner-manager depends to a great extent on the control environment and in particular, the
owner-manager's attitudes about the importance of internal control.

4.3.2 IT General Controls

IT general controls are policies and procedures that relate to many applications and support the effective
functioning of application controls (i.e., automated controls and manual controls with an IT component by helping
to ensure the continued proper operation of information systems. Application controls may not operate effectively
unless adequate IT general controls are in place to support them. [4613.4]
For example, limits over who can approve check requisitions in the system are irrelevant if the IT general controls
are not adequate to help ensure that these limits are consistently applied (e.g., through periodic review by
management of whether individual access rights are appropriately limited in accordance with business policies).

We only test the operating effectiveness of IT general controls if they support the operating effectiveness of the application
controls on which we intend to rely to provide audit evidence and to modify the nature, timing, and extent of substantive
procedures. [4613.12.2]
If relevant to the engagement, the audit objectives listed below are mandatory when completing the IT General Controls
Program. [4613.9.1.2]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
For an SE engagement, the IT General Controls Program has been integrated into the SE Planning Document;
Page 70 / 133
although the considerations remain the same, the extent of required documentation has been reduced.
We only test the operating effectiveness of IT general controls if they support the operating effectiveness of the application
controls on which we intend to rely to provide audit evidence and to modify the nature, timing, and extent of substantive
procedures. [4613.12.2] International Audit Workbook (Interntional Audit Workbook)

If relevant to the engagement, the audit objectives listed below are mandatory when completing the IT General Controls
Program. [4613.9.1.2]

For an SE engagement, the IT General Controls Program has been integrated into the SE Planning Document;
although the considerations remain the same, the extent of required documentation has been reduced.
If the engagement meets the criteria for the involvement of IRM specialists, then the separate IT General Controls
Program is to be completed instead of the IT general controls section in the SE Planning Document.

For VSE engagements, we take a substantive approach for substantially all significant accounts and disclosures. In the
circumstances when there is no reliance on any IT related controls throughout the entire audit, we are not required to
document our understanding of the IT general controls. However, in circumstances when we intend to rely on the operating
effectiveness of automated controls (including manual controls with an IT component, or IT system generated reports)
throughout the period under audit, we evaluate the design and implementation and test the operating effectiveness of such
controls, including related IT general controls and document our procedures in the Audit Program - VSE. The IT General
Controls Program may be used as a guide to determine the relevant work to be performed; however, completion of this
document is not mandatory. The following audit objectives and components are considered in the IT General Controls
Program:

Audit Objective Components

Access to programs and data Programs and data access components [4613.17.2]
To determine whether adequate controls for access to • information security policy/user
programs and data have been established to reduce the awareness
risk of unauthorized/inappropriate access to the relevant
information systems related to financial reporting. • physical access
[4613.17.1] • configuration of access rules

• access administration

• identification and authentication

• monitoring, and

• super users.

Program changes Program change components [4613.28.2]


To determine whether adequate controls for program • authorization, development, testing,
changes have been established to ensure that changes and approval
to existing systems/applications are authorized, tested,
approved, properly implemented, and documented. • migration to the production
[4613.28.1] environment

• configuration changes, and

• emergency changes.

Program development Program development components [4613.43.2]


To determine whether adequate controls for program • methodology for
development have been established to ensure that new development/acquisition
systems/applications which are developed or acquired
are authorized, tested, approved, properly implemented, • design, development, testing, approval,
and documented. [4613.43.1] and implementation, and

• data migration.

Computer operations Computer operations components [4613.51.2]


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
To determine whether adequate controls for computer • job processing
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
operations have been established to ensure that
system/application processing is appropriately • backup and recovery procedures, and
Page 71 / 133
authorized and scheduled and deviations from scheduled • incident and problem management
are authorized, tested, approved, properly implemented, • design, development, testing, approval,
and documented. [4613.43.1] and implementation, and
data Audit
International Audit Workbook •(Interntional migration.
Workbook)

Computer operations Computer operations components [4613.51.2]


To determine whether adequate controls for computer • job processing
operations have been established to ensure that
system/application processing is appropriately • backup and recovery procedures, and
authorized and scheduled and deviations from scheduled • incident and problem management
processing are identified and resolved. [4613.51.1] procedures.

End-user computing The entity may support end-user computing with IT


general controls consistent with its level of
We determine whether management has implemented sophistication. Such general controls should, however,
appropriate policies and procedures to ensure IT address access to programs and data, program change,
general controls are properly applied to end-user program development, and computer operations.
computing environment, including controls to address: [4613.60.4]
• access to programs and data Management should have appropriate controls in place
• program change to ensure that policies to address IT general controls
over critical data, transactions, and programs being
• program development, and maintained by end users exist and are being followed.
• computer operations. Generally, IT general controls and application controls
over end-user computing are documented in the
relevant Audit Program. [4613.62]

We complete an IT General Controls Program for each relevant IT environment when we intend
to rely on application controls to provide audit evidence and to modify the nature, timing, and
extent of our substantive procedures. [4613.9.3]
An IT environment is an environment where the entity has implemented a common set of
policies and procedures to support the effective functioning of application controls. IT general
controls, by their nature, are not limited to individual applications or locations. A single IT
general control may relate to multiple applications or locations. [4613.9.3.1]
For example, an ERP system often operates in a single environment, and this may cover all our
financial systems, whereas "legacy" systems often have their own "computing environment" and
may require a separate IT General Controls Program for each system.

In the Audit Program there is a question for every control identified as to whether the control has
an IT component. There will be an IT component for every IT application control and for every
manual control that uses data produced by an IT system.
Whenever we intend to rely on these controls to modify the nature, timing, and extent of our
substantive procedures, we will need to understand the related IT general controls, evaluate
their design and implementation, and test their operating effectiveness.

We determine that we have the appropriate knowledge, skills, and experience within the
engagement team to evaluate and test IT general controls; we will frequently involve IRM
specialists in the audit to evaluate the design and implementation, and test the operating
effectiveness of IT general controls and relevant automated application controls.

Our response to ineffective IT general controls may include performing additional audit
procedures that would enable us to continue to rely on the application control, evaluating the
design and implementation, and testing the operating effectiveness of other controls designed to
achieve the same control objective or increasing our assessment of control risk and therefore
RoSM thereby modifying the nature, timing, and extent of our substantive procedures. We
ordinarily work closely with IRM specialists in responding to ineffective IT general controls.
[4793.4.0.2]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Where a compensating control cannot be identified for a deficient control, or the identified
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
compensating control does not operate at the same level of precision as the deficient control, we
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
modify the nature, timing, and extent of our substantive procedures. [4793.4.1]
Page 72 / 133
design and implementation, and testing the operating effectiveness of other controls designed to
achieve the same control objective or increasing our assessment of control risk and therefore
RoSM thereby modifying the nature,
International Audit timing,
Workbookand extent Audit
(Interntional of our substantive procedures. We
Workbook)
ordinarily work closely with IRM specialists in responding to ineffective IT general controls.
[4793.4.0.2]
Where a compensating control cannot be identified for a deficient control, or the identified
compensating control does not operate at the same level of precision as the deficient control, we
modify the nature, timing, and extent of our substantive procedures. [4793.4.1]

Example controls for each of the four areas of IT general controls are accessible via the LCE
global home page on KWorld by selecting LCE General Global Knowledge followed by ITGC
General Global. While the knowledge has been customized to the LCE workflow, the knowledge
is also applicable for use on the FSA, SE, and VSE workflows.

4.3.3 Risk Assessment Process Relevant to Assertions


In addition to identifying risks at the entity level, management identifies risks at the activity level. If we intend to rely on risk
assessment controls that are unique to a particular audit objective, we document and evaluate these controls in the same
manner as other assertion level controls. [4411.1]

If management does not have adequate processes to identify assertion level risks, we need to
assess how management has determined that internal control is sufficient to address risks of
significant misstatement at the assertion level.

4.3.4 Monitoring of Controls at the Assertion Level


In addition to entity level monitoring controls, management also monitors activity level controls. If we intend to rely on
management's monitoring of activity level controls that are unique to a particular audit objective, we document and evaluate
these controls in the same manner as other assertion level controls. [4418.1]

4.3.5 Select Relevant Controls


An audit does not require an understanding of all the control activities related to each significant class of transactions,
account balance derived from an estimate, other account balance and disclosure in the financial statements, or for every
assertion relevant to them. Therefore, our emphasis is on identifying and obtaining an understanding of control activities
that address the points where we consider that material misstatements are more likely to occur. [4420.1.2]
When multiple control activities achieve the same control objective, it may not be necessary to obtain an understanding of
each of the control activities related to such objective. Our focus is on obtaining an understanding of (including documenting
such understanding) and evaluating those control(s) that effectively address the specified risk. [4420.1.3]

For classes of transactions, we select control activities that address the significant risk points
that we identified when documenting our understanding of the accounting activities.

If we have identified a risk of fraud associated with an audit objective, we evaluate the design
and implementation of antifraud controls that are relevant to the identified fraud risk and, if
effectively designed and implemented, and where we intend to rely on the effectiveness of the
controls to modify the nature, timing, and extent of substantive procedures, we test their
operating effectiveness.

We determine whether to evaluate preventative controls, detective controls, or a combination of both for individual relevant
assertions for individual audit objectives. We ordinarily evaluate a combination of preventative and detective controls,
although we focus on controls that detect and correct a misstatement rather than preventative controls. Detective controls
may provide audit evidence in relation to one or more audit assertions and may be a more effective means of gaining audit
evidence. [4420.3]
We also consider the risks identified at the financial statement level and any deficiencies found in the entity level controls
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
when determining control activities to be evaluated. These may include: [4420.4]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• the incorrect application of accounting principles, including the competency of the individuals and
their ability to interpret and apply generally the applicable financial reporting framework Page 73 / 133
assertions for individual audit objectives. We ordinarily evaluate a combination of preventative and detective controls,
although we focus on controls that detect and correct a misstatement rather than preventative controls. Detective controls
may provide audit evidence in relation toInternational
one or moreAuditaudit assertions
Workbook andAudit
(Interntional mayWorkbook)
be a more effective means of gaining audit
evidence. [4420.3]
We also consider the risks identified at the financial statement level and any deficiencies found in the entity level controls
when determining control activities to be evaluated. These may include: [4420.4]

• the incorrect application of accounting principles, including the competency of the individuals and
their ability to interpret and apply generally the applicable financial reporting framework
For example, when an extended period is required for sales (for example, real estate), delivery (for example,
construction contracting), or collection (for example, installment sales), there may be an increased risk that the
accounting principles for revenue recognition are misapplied.

• a weak control environment


For example, there exists an inappropriate segregation of duties or ineffective systems development process.

• management fraud, possibly through journal entries (including electronic manipulation)

• inappropriately designed computer information systems


For example, computer information systems do not prevent the entry of duplicate transactions.

• misappropriation of assets
For example, misappropriation of assets may occur if employees have access to cash or other negotiable assets.

• ineffective monitoring of controls


For example, the timeliness and accuracy of reconciliations is not monitored.

• entering into business areas or transactions with which the entity has little experience.
To the extent that the design and operating effectiveness of an application control are dependent on an indirect (supporting)
control, we obtain evidence regarding the operating effectiveness of the supporting control. For instance, internal controls in
an application are dependent on IT general controls. [4047.2]; [4420.2.1]

4.3.6 Documentation of Controls

We document controls after we have documented the accounting activities and, for classes of
transactions, the significant risk points.

Our description of a control covers: [4423]

• the objective of the control (including the risk it helps to mitigate)

• how it is performed and documented

• how frequently it is applied

• the knowledge, experience, and skills of the person performing it (if it's a manual control)

• the nature and size of the potential misstatements, both intentional and unintentional, that it is
likely to prevent, detect, and correct, and

• whether the control has an IT component.


This description forms the basis for our evaluation of design and implementation, where we are concerned with whether
the control is capable, if operating effectively, of preventing, or detecting and correcting a significant misstatement in the
financial statements and whether the entity is using the control. [4423.3]

4.3.7 Understanding Likely Sources of Potential Misstatements


In performing our audit, we understand the likely sources of potential misstatements for classes of transactions, account
balances derived from estimates, other account balances, and disclosures. [4430.1]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
To further understand the likely sources of potential misstatements for classes of transactions, and as a part of selecting
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
controls to test, we perform procedures to achieve the following objectives: [4431]
Page 74 / 133
• understand the flow of transactions related to the relevant assertions, including how these
financial statements and whether the entity is using the control. [4423.3]

4.3.7 Understanding Likely Sources of Potential


International Audit Misstatements
Workbook (Interntional Audit Workbook)

In performing our audit, we understand the likely sources of potential misstatements for classes of transactions, account
balances derived from estimates, other account balances, and disclosures. [4430.1]
To further understand the likely sources of potential misstatements for classes of transactions, and as a part of selecting
controls to test, we perform procedures to achieve the following objectives: [4431]

• understand the flow of transactions related to the relevant assertions, including how these
transactions are initiated, authorized, processed, and recorded

• verify that we have identified the relevant significant risk points

• identify the controls that management has implemented to address these significant risk points,
and

• identify the controls that management has implemented over the prevention or timely detection
of unauthorized acquisition, use, or disposition of the entity's assets that could result in a material
misstatement of the financial statements.
For a class of transactions, it is presumed that we will perform walkthroughs in order to achieve the objectives outlined
above. In the event we believe that the objectives of this section can be met by performing procedures other than a
walkthrough, those procedures and their relationship to the objectives are documented in the Audit Program. [4431.1]

In performing a walkthrough, we follow a single transaction from origination through the entity's processes,
including information systems, until it is reflected in the entity's financial records, using the same documents and
information technology that entity personnel use. At the points at which important processing procedures occur,
we question the entity's personnel about their understanding of what is required by the entity's prescribed
procedures and controls. [9322]

Walkthrough procedures usually include a combination of inquiry, observation, and inspection of relevant documentation.
[4432]
The procedures that we perform during our walkthrough are ordinarily sufficient to evaluate the design and implementation
of controls. [4432]
Walkthroughs that include a mix of inquiry, observation, inspection, and reperformance of controls may be sufficient to test
the operating effectiveness of controls depending on the mix of procedures performed; the risk of failure of the control; the
nature, timing, and extent of tests of operating effectiveness; and the results of those procedures. [4432.0.2]

4.3.8 Evaluate the Design and Implementation of Selected Assertion Level Controls
Obtaining an understanding of internal controls involves evaluating the design of a control and determining whether it has
been implemented. Evaluating the design of a control involves considering whether the control, individually or in combination
with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.
Implementation of a control means that the control exists and that the entity is using it. We consider the design of a control
in determining whether to consider its implementation. An improperly designed control may represent a material weakness
in the entity's internal control and we consider whether to communicate this to management and those charged with
governance. [4440]; [4114]
Our procedures when evaluating the design and implementation of controls may include: [4444.1]

• inspection of documents and records

• observation of controls being performed, and/or

• inquiries of appropriate personnel


Inquiry alone is not sufficient to provide appropriate evidence to support a conclusion about the effective design and
implementation of a control; therefore, we supplement it with other procedures.

We may be able to evaluate the design and implementation of relevant controls while performing
a walkthrough.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 75 / 133
Although smaller entities usually do not have complex IT environments, we still consider whether specialized skills
Inquiry alone is not sufficient to provide appropriate evidence to support a conclusion about the effective design and
implementation of a control; therefore, we supplement it with other procedures.
International Audit Workbook (Interntional Audit Workbook)

We may be able to evaluate the design and implementation of relevant controls while performing
a walkthrough.

Although smaller entities usually do not have complex IT environments, we still consider whether specialized skills
and the use of Information Risk Management professionals are necessary for testing controls that have an IT
component.

4.4. Test the Operating Effectiveness of Selected Controls

When performing tests of the operating effectiveness of controls, we obtain audit evidence that controls operate
effectively. This includes obtaining audit evidence about how controls were applied at relevant times during the
period under audit, the consistency with which they were applied, and by whom or by what means they were
applied. [9191]
Therefore, we may perform a test of operating effectiveness at more than one point during the period under
audit. [4703.1]

We perform tests of operating effectiveness of controls in the following two circumstances: [4700.1]

• when substantive procedures alone do not provide sufficient appropriate audit evidence, and

• when the nature, extent, and timing of our planned substantive procedures include an
expectation that controls are operating effectively (i.e., when we plan to rely on controls to
modify the extent of our substantive testing).
We perform tests of the operating effectiveness of controls only on those controls that we have determined are suitably
designed and implemented to prevent, or detect and correct, a significant misstatement in an assertion. [4703]

We do not test the operating effectiveness of controls that we have determined are either not
designed effectively or have not been implemented properly by the entity.

Tests of operating effectiveness are concerned with: [4703.2]

• how controls were applied

• the consistency with which they were applied during the period, and

• by whom they were applied.


When testing the operating effectiveness of controls, we consider the following: [4704]

Nature
There are a number of control testing techniques that we may use to obtain audit evidence about the effectiveness of the
operation of controls, such as: [4730]

• observation
We observe the performance of the control.

• inquiry
We ask a knowledgeable person for information about the operation of a control.

• reperformance
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
We reperform the operation of a control to ascertain that it was performed correctly.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• recalculation
Page 76 / 133
We recalculate the mathematical accuracy of documents or record supporting the operation of a control.
We observe the performance of the control.

• inquiry
We ask a knowledgeable personInternational Audit Workbook
for information about (Interntional Audit of
the operation Workbook)
a control.

• reperformance
We reperform the operation of a control to ascertain that it was performed correctly.

• recalculation
We recalculate the mathematical accuracy of documents or record supporting the operation of a control.
Recalculation can be performed by using CAATs to check the accuracy of the summarization of the file.

• inspection
We look at records or documents supporting the operation of a control.

• corroborative inquiry
We corroborate results of inquiries concerning the performance of a control through confirmation with other
members of the entity. Corroboration helps to confirm the validity and consistency of the application of a control.

• knowledge assessment
We combine inquiry, inspection, and reperformance techniques to test an individual's knowledge of a subject or his
or her ability to perform a control effectively.

• system query
We test automated controls within an information technology application to determine whether they are operating
as expected.
We should perform other audit procedures in combination with inquiry to test the operating effectiveness of controls. [4731]

Timing
The timing of tests of controls depends on our objective and determines the period of reliance on those controls.

When we perform audit work before the period-end, we consider the potentially increased risk
that we will not detect a significant misstatement that may exist at the period-end. We reduce
this potentially increased audit risk by performing additional audit work to cover the remaining
period in a way that provides a reasonable basis for extending the audit conclusions to the
period-end. [4747.1] /[4748]

If we test controls at a particular time, we only obtain audit evidence that the controls operated effectively at that time.
However, if we test controls throughout a period, we obtain audit evidence of the effectiveness of the operation of the
controls during that period. [4745]
If we perform tests of controls prior to period-end, we consider the additional evidence required for the remaining period.
[4743]
For all controls that are tested up to an interim date, we also document in the Audit Program the procedures performed to
obtain additional audit evidence that they continued to operate effectively for the remaining period. [4750.1]
Relevant factors in determining what additional audit evidence to obtain about controls that were operating during the
period remaining after an interim period, include: [4751]

• the significance of the assessed risks of significant misstatement

• the specific controls that were tested during the interim period

• the degree to which audit evidence about the operating effectiveness of those controls was
obtained

• the length of the remaining period

• the extent to which the auditor intends to reduce further substantive procedures based on the
reliance of controls, and
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• the control environment.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
For example, if a control is automated, with effective IT general controls, inquiry alone may be sufficient regardless of the
Page 77 / 133
length of the roll-forward period. If a manual control involves a high degree of subjectivity or judgment, we usually expect
• the degree to which audit evidence about the operating effectiveness of those controls was
obtained

• International Audit Workbook (Interntional Audit Workbook)


the length of the remaining period

• the extent to which the auditor intends to reduce further substantive procedures based on the
reliance of controls, and

• the control environment.


For example, if a control is automated, with effective IT general controls, inquiry alone may be sufficient regardless of the
length of the roll-forward period. If a manual control involves a high degree of subjectivity or judgment, we usually expect
the nature of the roll-forward procedures to be more extensive than inquiry and the roll-forward period to be limited.

Extent
When we test controls, we use our professional judgment to determine the extent of our audit procedures. We design our
audit procedures to be sufficiently extensive to provide reasonable assurance that the controls operated effectively
throughout the period. [4763.1]
Extent includes the quantity of a specific audit procedure to be performed, for example, a sample size or the number of
observations of a control activity. The extent of an audit procedure is determined by us after considering each of the
following: [4763.2]

• The characteristics of the population


- Is the population from which we are selecting the sample appropriate for the specific test
objective?

• The degree of assurance provided by the sample and other tests of controls.
- Are we performing tests of controls over a single control addressing an assertion or multiple
controls addressing the same assertion?

• The number of control deviations that can be accepted


- Do we expect control deviations in the sample? Guidance below is presented separately
based on our expectation regarding control deviations in the sample.

• Our assessment of the risk of failure of the control


- If the control is not effective, is there a risk that a material misstatement would result?

The number of control deviations that can be accepted


We normally do not expect to find control deviations when we select controls to test. However, there may be circumstances
where we are prepared to accept a small number of control deviations but still consider it appropriate to rely on the
operating effectiveness of the control to provide audit evidence to enable us to modify the nature, timing, or extent of our
substantive procedures. [4767.2]
Circumstances in which we may be willing to accept some control deviations include those where: [4767.3]

• transactions which are subject to the control are not individually large, complex, or likely to
include a significant misstatement

• the operation of the control does not require significant judgment, or

• we are not obtaining a large part of our audit evidence with respect to the relevant Audit
objective from our test of the operating effectiveness of this control.
We consider whether the rate of expected control deviations indicates that the control will not be sufficient to reduce the
risk of significant misstatement. If the rate of expected control deviations is expected to be too high, we may determine that
tests of controls for a particular assertion may not be effective. [4767.3.1]

Our assessment of the risk of failure of the control


The risk of failure is the risk that the control might not be effective and, if not effective, the risk that a material
misstatement would result. We assess the risk of failure as lower or higher using our professional judgment, based on the
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
specific circumstances of the control. [4766.3]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

As the risk of failure of the control increases, the evidence we obtain also increases such that we Page 78 / 133
might choose to obtain more persuasive audit evidence and/or more evidence in terms of
tests of controls for a particular assertion may not be effective. [4767.3.1]

Our assessment of the risk of failure of the control


International Audit Workbook (Interntional Audit Workbook)
The risk of failure is the risk that the control might not be effective and, if not effective, the risk that a material
misstatement would result. We assess the risk of failure as lower or higher using our professional judgment, based on the
specific circumstances of the control. [4766.3]

As the risk of failure of the control increases, the evidence we obtain also increases such that we

! might choose to obtain more persuasive audit evidence and/or more evidence in terms of
number of operations of the control tested. [4766.1.1]

Factors that affect the risk of failure associated with a control include: [4766.4]

• the nature and materiality of the misstatements which the control is designed to prevent or
detect

• the assertions addressed by the control

• the inherent risk of error associated with the relevant significant account and assertions

• whether there have been changes in the volume or nature of transactions over which the control
operates

• the competence of the personnel who perform the control or monitor its performance, and
whether there have been changes in such personnel

• the effectiveness of relevant entity level controls, particularly monitoring controls which relate to
the specific control being tested

• the nature of the control and the frequency with which it operates

• the complexity of the control and the significance of the judgments that must be made in
connection with its operation

• whether the related significant account has a history of errors

• the degree to which the control relies on the effectiveness of other controls, and

• whether the control relies on performance by an individual or is automated.


KAM International 4766.5 contains examples of indicators of higher and lower risks of failure for each factor.

Increasing the extent of an audit procedure is effective only if the audit procedure itself is

! relevant to the specific risk; therefore, the nature of the audit procedure is the most important
consideration. [4763.7]

Sample sizes for testing manual controls when we expect no control deviations
We consider the following guidance related to the frequency of the performance of the control when planning the extent of
tests of the operating effectiveness of manual controls for which we do not expect to find control deviations. We determine
the appropriate number of control occurrences to test based on the following minimum sample size for the frequency of the
control activity dependent on whether we have assessed a lower or higher risk of failure of the control. [4768.1]

Frequency of control activity Minimum sample size

Risk of failure

Lower Higher

Annual 1 1
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
Quarterly (including period-end, i.e. +1) 1+1
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 1+1

Monthly 2 3 Page 79 / 133


Risk of failure

Lower
International Audit Workbook (Interntional Audit Workbook) Higher

Annual 1 1

Quarterly (including period-end, i.e. +1) 1+1 1+1

Monthly 2 3

Weekly 5 8

Daily 15 25

Recurring manual control (multiple times per 25 40


day)

Although +1 is used to indicate that the period-end control is tested, this does not mean that for
more frequent control operations the year-end operation cannot be tested.

Sample sizes for testing recurring manual controls when we accept some control
deviations
In circumstances when we test a larger sample of controls and accept a small number of control deviations, when testing
controls which operate at more than one homogeneous location or when we are performing a dual-purpose test, where our
substantive sample size is larger than the indicated minimum for the test of operating effectiveness of the control, we use
the following table to determine the number of control deviations which can be accepted for a given sample size, for both a
lower or higher risk of failure of the control: [4769.2] [4769.3]

Sample sizes Number of acceptable control


deviations
Risk of failure

Lower Higher

50 80 1

60 95 2

71 111 3

85 133 4

98 154 5

111 175 6

124 195 7

137 215 8

150 235 9

163 255 10

175 275 11
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
188 294
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 12

200 314 13 Page 80 / 133


150 235 9

163 255
International Audit Workbook (Interntional Audit Workbook) 10

175 275 11

188 294 12

200 314 13

212 333 14

225 352 15

237 372 16

249 391 17

261 410 18

273 429 19

285 448 20

After determining which locations we will test, we select and test a minimum of 10 operations of the recurring manual
controls at each location selected. We use the table above to determine the aggregate number of control deviations
acceptable for the corresponding total sample size. [4770.6]
For example, if we test a homogeneous control at 15 locations, the minimum sample size is 150 items and the maximum
number of expected control deviations in the sample is 9 for a control which we assess as having a lower risk of failure.
When we test controls at multiple locations, we conclude controls are effective if not more than the aggregate acceptable
number of control deviations are found in the total of the sample items selected, and not more than one control deviation is
found at each sampled location. [4770.7]
Continuing with the previous example, if one control deviation is detected in each of nine locations, and no control deviations
are detected in the remaining six locations, we conclude that the control is effective, if none of the control deviations are
considered to be representative of a systematic or intentional control deviation.
This table above may also be used in other circumstances in consultation with a KPMG Sampling Specialist. [4769.2]

We may design a test of controls to be performed concurrently with a test of details on the same
transaction. The objective of tests of controls is to evaluate whether a control operated
effectively. The objective of tests of details is to detect significant misstatements at the assertion
level. Although these objectives are different, both may be accomplished concurrently through
performance of a test of controls and a test of details on the same transaction, also known as a
dual-purpose test. [4735]
For example, when attending the physical inventory count, we may select a sample of items for
which we reperform the client's count to test the operating effectiveness of internal controls.
This also provides us with substantive audit evidence.

In some situations, a similarly designed control operates at the same time over many different
components of a class of transactions, account balance, or disclosure. In these situations we use
our judgment to determine the extent of testing both in terms of the frequency of testing (such
as number of days, weeks, or months to test) and the number of similar operations to test at
each point in time (such as number of locations or different application controls effected).
[4613.14.3]
For example, an entity may have one change management process to manage changes made to
all of its applications. If the control to authorize, test, and approve program changes occurs 12
times during the year and includes multiple changes on each occurrence, we may choose to test
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
two occurrences of the control during the period under audit. Rather than test the operation of
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
the control to authorize, test, and approve every change at these two occurrences, we may
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
inspect the documentation to identify changes relevant to financial reporting and use professional
judgment to select a sample of the changes at each of the two occurrences. We then test the Page 81 / 133
as number of days, weeks, or months to test) and the number of similar operations to test at
each point in time (such as number of locations or different application controls effected).
[4613.14.3]
International Audit Workbook (Interntional Audit Workbook)
For example, an entity may have one change management process to manage changes made to
all of its applications. If the control to authorize, test, and approve program changes occurs 12
times during the year and includes multiple changes on each occurrence, we may choose to test
two occurrences of the control during the period under audit. Rather than test the operation of
the control to authorize, test, and approve every change at these two occurrences, we may
inspect the documentation to identify changes relevant to financial reporting and use professional
judgment to select a sample of the changes at each of the two occurrences. We then test the
operating effectiveness of this sample.

Use of audit evidence obtained in prior periods regarding the operating effectiveness
of controls

This section is relevant for both manual and automated controls.

When we have determined that an assessed risk of material misstatement at the assertion level

! is a significant risk and we plan to rely on the operating effectiveness of controls intended to
mitigate that significant risk, we should obtain the audit evidence about the operating
effectiveness of those controls from tests of controls performed in the current period. [ISA
330.44][4775.5.1.4]

Our decision to base our assessment of the operating effectiveness of controls on evidence obtained in previous audits is a
matter of professional judgment. [4775.5.2]
If we plan to use audit evidence about the operating effectiveness of specific controls obtained in previous audits, we:

• establish the continuing relevance of that evidence by obtaining audit evidence about whether
changes in those specific controls have occurred subsequent to the previous audit by performing
a walkthrough, and

• test the entity’s relevant monitoring controls, which provide a basis for management’s assertion
that there have been no changes to those specific controls and that those specific controls
continue to operate effectively.
If there have been changes that affect the continuing relevance of the audit evidence obtained in the previous audit, we test
the operating effectiveness of such controls in the current audit. [4775.5.8]

See section titled "Understand likely sources of potential misstatements" in the Control Evaluation
chapter of KAM for further guidance about walkthroughs.

If we plan to rely on controls that have not changed since they were last tested, we should test the operating effectiveness
of such controls at least once in every third audit. [4775.5.1.2]
Factors that ordinarily decrease the period for retesting a control include: [4775.5.4]

• an ineffective or partially effective control environment

• ineffective or partially effective monitoring of controls

• a significant manual element to the relevant controls

• personnel changes that significantly affect the application of the control

• changing circumstances that indicate the need for changes in the control, and

• ineffective IT general controls.


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
If we plan to use audit evidence about the operating effectiveness of controls obtained in previous audits, we: [4775.5.12.1]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• describe the audit evidence obtained through a walkthrough that supports that no changes in the
design or implementation of the subject controls have occurred since our last evaluation Page 82 / 133
• a significant manual element to the relevant controls

• personnel changes that significantly affect the application of the control

• International
changing circumstances that indicate the Audit
needWorkbook (Interntional
for changes in theAudit Workbook)
control, and

• ineffective IT general controls.


If we plan to use audit evidence about the operating effectiveness of controls obtained in previous audits, we: [4775.5.12.1]

• describe the audit evidence obtained through a walkthrough that supports that no changes in the
design or implementation of the subject controls have occurred since our last evaluation

• include in the current audit file a copy of the prior year’s working papers relating to our
evaluation of the design and implementation of the controls and our test of their operating
effectiveness

• document the conclusions reached with regard to the use in the current audit of audit evidence
about the operating effectiveness of controls that was obtained in a previous audit.
Our testing considerations during an audit period are made on an assertion basis and not on a control-by-control basis.
Therefore, when there have been changes that affect the continuing relevance of the audit evidence about one or more
controls related to an assertion, we do not use audit evidence obtained in previous audits about the operating effectiveness
of other controls that operate over the same assertion. [4775.5.9]
When there are a number of controls for which we determine that it is appropriate to use audit evidence obtained in prior
audits, we should test the operating effectiveness of some controls each audit. [4775.5.1.3]

Reliability of underlying data

When performing a substantive test using sampling techniques such as KPMG MUS or the KPMG

! Sampling Plan for the purpose of forming a monetary conclusion on the population, we do not
use the guidance included in this section. [4777]

Underlying data represents information produced by the entity that may be included in a system generated report
or a management prepared document. [4776.1]

When we use information produced by the entity to perform audit procedures, we should obtain audit evidence about the
accuracy and completeness of the information. [4776.2]
The nature and extent of audit procedures performed will vary depending on engagement-specific circumstances and on
whether the information is the product of an automated or a manual activity. [4785.2]

Automated Manual

If a system-generated report is the product of an If a management-prepared document is the


automated activity, and IT general controls are product of a manual activity, then we may assess
tested and found to be operating effectively for the the design and operating effectiveness of relevant
period under audit, then we may assess the manual controls associated with information
design and operating effectiveness of relevant included in the document to determine whether
automated application controls associated with such information may be used in performing
information included in the document to determine further audit procedures (substantive or control).
whether such information may be used in [4785.6]
performing further audit procedures (substantive
or control). [4785.5] We refer to the sample size guidance for testing
manual controls in the section titled, "Extent of
When automated application controls associated tests of controls" of KAM.
with the completeness and accuracy assertions
are different, relevant controls for each assertion
should be assessed for effectiveness. In designing
the relevant audit procedures, we assess and
conclude on both the accuracy and completeness
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
assertions.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
We refer to the sample size guidance in the
section titled, "Extent of tests of controls" in KAM. Page 83 / 133
When automated application controls associated tests of controls" of KAM.
with the completeness and accuracy assertions
are different, relevant controls for eachInternational
assertion Audit Workbook (Interntional Audit Workbook)
should be assessed for effectiveness. In designing
the relevant audit procedures, we assess and
conclude on both the accuracy and completeness
assertions.
We refer to the sample size guidance in the
section titled, "Extent of tests of controls" in KAM.

Procedures performed to assess the accuracy of underlying data also include checking the mathematical accuracy of such
reports or documents. [4785.6.1]
When IT general controls are not tested for operating effectiveness, or are deemed ineffective, or manual controls have not
been determined to be effective during the period, we assess the accuracy of information included in underlying data using
sampling. [4785.13]
The following chart outlines the suggested sample sizes:

Estimate of the number of transaction items Suggested sample size


included in the population

50 or fewer 5

51-250 15

>250 25

If we detect an error while performing our audit procedures, we need to understand:

• the nature and cause of the error

• its impact on the assertion associated with the report or document

• whether it may be indicative of systematic error or the possible existence of fraud.


We make specific inquiries to understand these matters and their potential consequences. We use professional judgment in
determining the nature and extent of additional audit procedures necessary to confirm our understanding. [4785.14.1]
The nature and source of the underlying data will dictate the nature and extent of audit procedures performed to assess
completeness of data. [4785.10]
For example, when the underlying data does not include all items within a particular account balance, assessing
completeness of information included in such documents may require alternative audit procedures. [4785.11]
For example, to assess the completeness of a management-prepared document representing unpaid customer
invoices outstanding greater than 90 days (90-day report), we may assess the completeness of the information
included in the 90-day report by selecting source documents from the unpaid accounts file (a reciprocal population)
to determine if the related invoices are appropriately reflected in, or omitted from, the 90-day report. The sample
size determination should be made based on the number of individual items in the reciprocal population.
We assess the completeness and accuracy of underlying data each time the underlying data is generated and the related
information is used in the performance of further audit procedures (control or substantive) when we do not have evidence
that the relevant controls are operating effectively for the underlying data. [4785.16]
For example, where information included in underlying data (e.g., accounts receivable aging) is prepared as of an
interim date and as of year-end, and is used in the performance of further audit procedures (control or
substantive), completeness and accuracy are assessed as of the interim date and as of year-end.

4.4.1 Deviations Discovered During Testing

This guidance relates only to recurring controls that operate each time a transaction occurs. It

! does not apply to periodic controls (daily, weekly, or monthly).


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
If control deviations are found in tests of periodic controls, the sample size cannot be extended
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
and we conclude that the control is ineffective and consider the implication on our audit
Page 84 / 133
approach. [4792.3]
4.4.1 Deviations Discovered During Testing
International Audit Workbook (Interntional Audit Workbook)

This guidance relates only to recurring controls that operate each time a transaction occurs. It

! does not apply to periodic controls (daily, weekly, or monthly).


If control deviations are found in tests of periodic controls, the sample size cannot be extended
and we conclude that the control is ineffective and consider the implication on our audit
approach. [4792.3]

When control deviations are detected during the performance of tests of controls, we make specific inquiries to understand
the cause of the control deviations and their potential consequences, for example, by inquiring about the timing of personnel
changes in key internal control functions. We determine whether such control deviations are representative of systematic or
intentional control deviations. [4792.5.2]

The discovery of a systematic or intentional control deviation ordinarily requires a broader

! consideration of possible implications than does the discovery of an error. [4792.6]


If in our judgment the deviation is believed to be intentional, we follow the guidance in the
section titled "Consider the fraud, earnings management, and internal control implications of
audit differences" in the Completion chapter of KAM International.

Considering the consequences of a control deviation is a matter of professional judgment. When a deviation is not
considered to be representative of a systematic or intentional control deviation, we consider if we can conclude that the
control is operating effectively as follows:

Findings No expected error Increased sample size sufficient that


some error can be accepted (in
(normal situation) accordance with the table above)

Example Sample size is less than 50 for a lower risk Greater than 50 for lower risk of failure or
control or 80 for a higher risk control 80 for higher risk of failure

No errors found in Conclude control is effective. [4791.2] Conclude control is effective. [4791.2]
initial sample

One error found in If we conclude the control deviation does not If we conclude the control deviation does not
initial sample represents a systematic or intentional control represent a systematic or intentional control
deviation, we either conclude the control is deviation, we conclude the control is
not effective or carry out additional testing effective.
on a sample size at least the same size as
the initial sample size.

More than one error Conclude the control is not effective. If we conclude the control deviation does not
found in the initial represent a systematic or intentional
sample deviation, we assess the control as being
effective if the number of deviations is less
than or equal to the number of acceptable
control deviations for the sample size and
ineffective if the number of deviations found
is greater than the number of acceptable
control deviations for the sample size.
[4792.4]
1 See below for special considerations for a
homogenous control operating over multiple
locations

No errors found in Conclude control is effective. We do not extend the sample size where a
extended sample larger initial sample size is used and the
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
number of deviations identified is greater
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
than the number of acceptable control
deviations for the sample size. Page 85 / 133
1 See below for special considerations for a
homogenous control operating over multiple
locations
International Audit Workbook (Interntional Audit Workbook)

No errors found in Conclude control is effective. We do not extend the sample size where a
extended sample larger initial sample size is used and the
number of deviations identified is greater
than the number of acceptable control
deviations for the sample size.

One or more errors Conclude the control is not effective. We do not extend the sample size where a
found in the extended larger initial sample size is used and the
sample size number of deviations identified is greater
than the number of acceptable control
deviations for the sample size.

1 When we test controls at multiple locations, we conclude controls are effective if not more than
the aggregate acceptable number of control deviations are found in the total of the sample items
selected, and not more than one deviation is found at each sampled location.
If we find more than one deviation at a sampled location, we conclude that the control is ineffective at that specific
location and modify the nature and extent of our test work at the specific location(s) for which the controls were
deemed to be ineffective. [4792.5.1]
We consider the nature and cause of the control deviation and determine whether the conditions under which the
deviation occurred are applicable at other locations. [4792.5.1]
Considering the consequences of a control deviation is a matter of professional judgment and is influenced by the
characteristics of the control and the number of control deviations detected. [4792.7]
For example, the failure in a reconciliation control during an interim period may be corrected before the period-end, in such
a way that does not impact the financial statements, while still impacting on other audit procedures. For example, if a bank
reconciliation is not performed for the four months from June to September, but is performed appropriately at the period-
end, the control will still be effective in relation to the recording of cash receipts and cash payments in the period and can
be relied upon. However, the failure to operate the control effectively during the period does undermine the reliability of
monthly management accounts and thus any trend analysis performed over the period.
If control deviations are found in tests of controls which operate periodically, the sample size cannot be extended and we
conclude that the control is ineffective and consider the implication on our audit approach. [4792.3]

4.5. Control Deficiencies

A control deficiency may consist of either a design or operating deficiency.


A design deficiency exists when either a necessary control is missing or an existing control is not properly
designed so that even when the control is operating as designed, the control objective is not always met.
An operating deficiency exists when a properly designed control either is not operating as designed or the person
performing a control does not possess the necessary authority or qualifications to perform the control effectively.
[4793.1]

An operating deficiency also includes the failure to implement a control that has been properly
designed.

We analyze and evaluate all exceptions discovered in testing internal control over financial reporting to determine whether
they represent deficiencies. In making this determination, we consider several factors, including: [4793.3]

• How was the exception detected? Detection by another control may be a sign of an effective
detective control, while detection through management or our testing may be indicative of a
deficiency.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• Is the exception confined to a single location, process, or application, or is it pervasive in the
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
organization?

• How significant is the control deviation from stated policy? For example, was the control Page 86 / 133
We analyze and evaluate all exceptions discovered in testing internal control over financial reporting to determine whether
they represent deficiencies. In making this determination, we consider several factors, including: [4793.3]

• How was the exception detected? Detection


International byWorkbook
Audit another(Interntional
control may Auditbe a sign of an effective
Workbook)
detective control, while detection through management or our testing may be indicative of a
deficiency.

• Is the exception confined to a single location, process, or application, or is it pervasive in the


organization?

• How significant is the control deviation from stated policy? For example, was the control
performed late but still before the preparation of the financial statements or was the control not
performed at all?

• How often were exceptions detected in relation to how frequently the control is performed?
We also determine the effect of the exception on the nature and extent of additional testing that may be appropriate or
necessary and on the operating effectiveness of the control being tested. A conclusion that an identified exception does not
represent a control deficiency is appropriate only if evidence beyond what was initially planned and beyond inquiry supports
that conclusion. [4793.4]
If the results of our tests of control show that the internal controls are not designed and operating effectively, we assess
control risk in terms of controls being ineffective. [4793.2]
Our response to ineffective IT general controls is based on the facts and circumstances specific to each entity. The potential
effect and our possible response to ineffective IT general controls are as follows: [4793.4.0.1]

Effect Audit response

The extent to which we Performing additional audit procedures that would enable us to continue to rely on
may place reliance on the application control and/or evaluating the design and implementation, and testing
specific controls to modify the operating effectiveness of other controls designed to achieve the same control
the nature, timing, and objective. [4793.4.0.2]
extent of the substantive
procedures that we intend For example, if we intend to rely on an application control consisting of a three-way
to perform match, but conclude that program change controls specific to this application control
are ineffective because application developers had unrestricted access to migrate
changes into the live environment, we may perform additional audit procedures that
would enable us to continue to rely on the application control. We may be able to
determine that:

• no changes were made to the application

• the only people that made changes to the application were


authorized and the changes were appropriate.
We may also test the application control at more than one point during the audit. The
number of tests of the application control depends, amongst others, on the nature
and frequency of the control, the frequency of changes to the application, the
assessment of inherent risk, and especially fraud risk. The number of tests is likely to
be less frequent than a recurring manual control. [4775.3.1]

Our assessment of control Increasing our assessment of control risk and therefore RoSM thereby modifying the
risk and therefore RoSM nature, timing, and extent of our substantive procedures. [4793.4.0.2]

The engagement team ordinarily works closely with IRM specialists in responding to ineffective

! IT general controls. [4793.4.0.2]

Material weaknesses in internal control are control deficiencies that could have a material effect on the financial
statements. [9171]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Our responsibility to communicate weaknesses in internal control applies equally to an SE or VSE engagement,
even when: Page 87 / 133
!
International Audit Workbook (Interntional Audit Workbook)
Material weaknesses in internal control are control deficiencies that could have a material effect on the financial
statements. [9171]

Our responsibility to communicate weaknesses in internal control applies equally to an SE or VSE engagement,
even when:

•  we believe the owner-manager may already be informed about such matters,
•  we are not sure if weaknesses in internal control, particularly those related to limited
segregation of duties, can be addressed in a cost beneficial manner.
It is only by communicating identified weaknesses that we can be certain that management and those charged
with governance have been informed of the problem.

4.6. Substantive Approach


A "substantive approach" for certain audit objectives may be applied when we have obtained an understanding of entity
level controls and all of the following criteria are met: [4006]

• the audit objective does not include relevant assertions associated with a significant risk (i.e.,
significant inherent risk of error or a fraud risk)

• it is possible and practical to obtain sufficient appropriate audit evidence only from substantive
audit procedures in order to reduce audit risk to an acceptably low level, and

• it is not more efficient to test the operating effectiveness of controls.


In a substantive approach, we document our understanding of the accounting activities relevant to the significant accounts
that the audit objective addresses, and then make our RoSM assessment. If we do not evaluate the design and
implementation of controls for a particular audit objective, the assessment of RoSM is based on the assessment of inherent
risk.

For audit objectives for which we are adopting a substantive approach, the Audit Program has
fewer sections: one section to document the accounting activities (which varies depending on
whether the audit objective addresses one or more classes of transactions, an account balance
derived from an estimate, an "other" account balance, or a disclosure), one section to document
our RoSM assessment, and the final section to document our substantive procedures for that
audit objective.

We assess whether to adopt a substantive approach for individual audit objectives, not for the
whole audit.
We cannot adopt a substantive approach for audit objectives associated with a significant risk.

4.7. Financial Reporting


We obtain an understanding of the financial reporting process used to prepare the entity's financial statements, including
significant accounting estimates and disclosures. [4801]
Preparation of the entity's financial statements include procedures that are designed to ensure information required to be
disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized, and
appropriately reported in the financial statements. [4802]
An entity's financial reporting process also includes the use of nonstandard journal entries to record nonrecurring, unusual
entries or adjustments.
Examples of such entries include consolidating adjustments and entries for a business combination or disposal or
nonrecurring estimates such as an asset impairment. [4803]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
In manual, paper-based general ledger systems, nonstandard journal entries may be identified through inspection of
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
ledgers, journals, and supporting documentation. However, when automated procedures are used to maintain the general
ledger and prepare financial statements, such entries may exist only in electronic form and may be more easily identified
Page 88 / 133
through the use of computer-assisted audit techniques (CAATs). [4803]
An entity's financial reporting process also includes the use of nonstandard journal entries to record nonrecurring, unusual
entries or adjustments.
International Audit Workbook (Interntional Audit Workbook)
Examples of such entries include consolidating adjustments and entries for a business combination or disposal or
nonrecurring estimates such as an asset impairment. [4803]
In manual, paper-based general ledger systems, nonstandard journal entries may be identified through inspection of
ledgers, journals, and supporting documentation. However, when automated procedures are used to maintain the general
ledger and prepare financial statements, such entries may exist only in electronic form and may be more easily identified
through the use of computer-assisted audit techniques (CAATs). [4803]
In addition, we understand how the incorrect processing of transactions is resolved, for example, whether there is an
automated suspense file and how it is used by the entity to ensure that suspense items are cleared out on a timely basis,
and how system overrides or bypasses to controls are processed and accounted for. [4804]
For each of the mandatory financial reporting audit objectives we: [4808]

• document the activities relevant to the audit for each financial reporting audit objective

• evaluate the design and implementation of selected controls and test their operating
effectiveness when we plan to rely on the operating effectiveness of controls to modify the
nature, timing, or extent of our substantive procedures, and

• perform substantive procedures to obtain audit evidence.

A smaller entity will often be less likely to have effective controls over the financial reporting process. Accordingly,
we may take a substantive approach in completing the mandatory audit objectives listed below unless:

•  a significant inherent risk of error or a fraud risk has been identified with respect to the
audit objective

•  it is more efficient to take a controls approach, or


•  it is only possible to reduce audit risk to an acceptably low level by performing tests of
controls.

Mandatory financial reporting audit objectives

1. Comparative information To obtain sufficient appropriate audit evidence that comparative information is
appropriately reported and the correct opening balances are processed and
appropriately reported. [4808.2]

2. Presentation To obtain sufficient appropriate audit evidence that the overall financial statement
presentation, including preparation of financial statements and related footnote
disclosures and other additional information are accumulated, processed,
summarized, and presented fairly; this includes documentation which demonstrates
that the financial statements agree or reconcile with the underlying accounting
records. [4808.6]

3. Journal entries To obtain sufficient appropriate audit evidence that the completeness, existence, and
accuracy of journal entries, including standard and nonstandard journal entries and
other adjustments are not significantly misstated. [4808.14]

4. Subsequent events To obtain sufficient appropriate audit evidence that all material subsequent events
have been accumulated, recorded, processed, summarized, and reported
appropriately. [4808.21]

5. Adjustments To obtain sufficient appropriate audit evidence that recurring and nonrecurring
adjustments to consolidated financial statements, such as consolidating and
eliminating entries, report combinations, classifications, and "top-side" journal
entries, have been authorized and recorded appropriately. [4808.27]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
This audit objective may not be applicable if consolidated financial statements are not
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
presented.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

6. Cash flows To obtain sufficient appropriate evidence that the cash flows have been accumulated, Page 89 / 133
recorded, processed, summarized, and reported appropriately in the statement of
5. Adjustments To obtain sufficient appropriate audit evidence that recurring and nonrecurring
adjustments to consolidated
International financial
Audit Workbook statements,
(Interntional such as consolidating and
Audit Workbook)
eliminating entries, report combinations, classifications, and "top-side" journal
entries, have been authorized and recorded appropriately. [4808.27]
This audit objective may not be applicable if consolidated financial statements are not
presented.

6. Cash flows To obtain sufficient appropriate evidence that the cash flows have been accumulated,
recorded, processed, summarized, and reported appropriately in the statement of
cash flows. [4808.31]
This audit objective may not be applicable if a cash flows statement is not required.

7. Equity To obtain sufficient appropriate evidence that the movements in equity have been
accumulated, recorded, processed, summarized, and reported appropriately in the
statement of changes in equity. [4808.35]

"Top-side" entry is a term commonly used to describe journal entries or adjustments that are initiated by the
parent company as part of the preparation of the financial statements for the group ("push-down" entries or
adjustments) and relate to the subsidiary. Such entries may be recorded as consolidation or "post closing" entries,
or the subsidiary may be instructed to record the entry in its general ledger or through its reporting package to
the parent company. In general, these entries are usually initiated by management-level personnel and are not
routine or associated with the normal processing of transactions. "Top-side" entries or adjustments may be
initiated by the parent company or another subsidiary, which include in their results the results of the subsidiary
that has been instructed to record the journal entry or adjustment. [9310]
"Post closing" entry is a term commonly used to describe journal entries processed as part of preparation of the
entity's financial statements, which are usually made after a reporting period has ended, but before the financial
statements for the period have been filed. They may or may not be reflected in the entity's general ledger. For the
purposes of our audit, these include entries that are made subsequent to the closing of the general ledger that the
engagement team is auditing. [9198.2]

Appendix I to the Financial Reporting Audit Program contains mandatory substantive audit
procedures in relation to the subsequent events audit objective.

4.8. Risk of Significant Misstatement (RoSM)

The risk of significant misstatement at the assertion level is the risk that an assertion relating to a significant
account or disclosure could be materially misstated due to error.
We assess the risk of significant misstatement for audit objectives by considering our separate assessments of
inherent risk (made during Planning) and control risk (determined in Control Evaluation).
The assessed level of risk of significant misstatement (high, moderate, or low) impacts the nature, timing, and
extent of our substantive procedures and is a factor in determining sample sizes if KPMG Monetary Unit Sampling
or the KPMG Sampling Plan is used. [9224]

If we do not evaluate the design and implementation of controls for a particular audit objective,

! the assessment of RoSM is based on the assessment of inherent risk.


Our evaluation of entity level controls can also affect our assessment of RoSM for audit
objectives. Where entity level controls are poor or ineffective, this may increase our assessment
of RoSM. Effective entity level controls cannot reduce our assessment of RoSM. [4912.1]

When assessing RoSM, we also consider the nature, cause (if known), and amount of audit differences from the audit of the
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
prior period's financial statements. [4920]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 90 / 133
Normally, for low or moderate inherent risks, we will evaluate the design and implementation of
! Our evaluation of entity level controls can also affect our assessment of RoSM for audit
objectives. Where entity level controls are poor or ineffective, this may increase our assessment
International Audit Workbook (Interntional Audit Workbook)
of RoSM. Effective entity level controls cannot reduce our assessment of RoSM. [4912.1]

When assessing RoSM, we also consider the nature, cause (if known), and amount of audit differences from the audit of the
prior period's financial statements. [4920]

Normally, for low or moderate inherent risks, we will evaluate the design and implementation of
controls only when we also intend to test the operating effectiveness so that we can obtain audit
evidence that the controls are operating effectively and therefore we can modify the nature,
timing, and extent of our substantive procedures.
For low or moderate inherent risks, if we plan to obtain all the audit evidence from substantive
procedures, then we would not need to evaluate the design and implementation of controls.
For significant inherent risks, we have to evaluate the design and implementation of controls
whether or not we plan to obtain audit evidence over the operating effectiveness of controls.

The following matrix indicates a suggested RoSM assessment, given our assessment of inherent risk and whether: [4935]

• controls are effectively designed and implemented and whether we obtained sufficient
appropriate audit evidence that the control is operating effectively (column 1), or we have chosen
not to test the operating effectiveness of the control (column 2), or

• controls are not effective. These controls may be either improperly designed or not implemented,
or not operating effectively.

This matrix is not intended to be prescriptive. If we determine that a lower (or higher) RoSM

! than that suggested by the matrix is appropriate, we can make such a choice of RoSM provided
this decision is appropriately justified and documented and justified in the Audit Program. [4936]

Effective entity level controls support RoSM assessments suggested by the above RoSM matrix. However, deficiencies in
entity level controls could undermine the effectiveness of some of the control activities and therefore may require us to
amend upwards our assessment of RoSM for some or all audit objectives. [4937]
For example, if entity level controls are deficient, an RoSM assessment suggested by this matrix may be increased from low
to moderate or from moderate to high, requiring further audit procedures to obtain more persuasive audit evidence than
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
would have been necessary if we did not have deficiencies in entity level controls.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

In performing substantive procedures, we may detect misstatements in amounts or frequency Page 91 / 133
greater than is consistent with our control risk assessment. In circumstances where we obtain
Effective entity level controls support RoSM assessments suggested by the above RoSM matrix. However, deficiencies in
entity level controls could undermine the effectiveness of some of the control activities and therefore may require us to
amend upwards our assessment of RoSM for some or all audit objectives. [4937]
International Audit Workbook (Interntional Audit Workbook)
For example, if entity level controls are deficient, an RoSM assessment suggested by this matrix may be increased from low
to moderate or from moderate to high, requiring further audit procedures to obtain more persuasive audit evidence than
would have been necessary if we did not have deficiencies in entity level controls.

In performing substantive procedures, we may detect misstatements in amounts or frequency


greater than is consistent with our control risk assessment. In circumstances where we obtain
audit evidence from performing further audit procedures that tends to contradict our control risk
assessment on which we originally based the RoSM assessment, we revise the control risk
assessment and modify the nature, timing, or extent of further planned audit procedures
accordingly. [4945]
For example, the extent of misstatements that we detect by performing substantive procedures
may alter our judgment about the control risk assessment and may indicate a material weakness
in internal control. In addition, analytical procedures performed at the overall review stage of the
audit may indicate a previously unrecognized RoSM.

If, as a result of the substantive procedures performed, we determine that the RoSM assessment is to be revised upward,
we:

• revise our RoSM assessment upward to reflect a different assessment of inherent risks
subsequent to completion of the Planning Document, and

• determine whether the revised RoSM assessment is a significant change, which is documented in
the Completion Document
The previously documented assessment is retained, and a revised RoSM assessment, as well as the rationale for the
revised RoSM assessment, is documented in the Audit Program.
Interntional Audit Workbook

Chapter 5 - Substantive Testing


The objective of Substantive Testing is to perform substantive audit procedures to respond to our assessment of the risk of
significant misstatement for each audit objective. [5002]
Substantive Testing is described in the following chart: [5004]

5.1. Risk of Significant Misstatement


During Control Evaluation, we evaluated the impact of controls on our planned audit approach, confirmed whether we are
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
adopting a controls or a substantive approach for each audit objective, and assessed the risk of significant misstatement
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
based on the results of our Control Evaluation procedures. [5003]
We plan and perform substantive procedures to be responsive to our assessment of the risk of significant misstatement
Page 92 / 133
(RoSM). [5103]
5.1. Risk of Significant Misstatement
International Audit Workbook (Interntional Audit Workbook)

During Control Evaluation, we evaluated the impact of controls on our planned audit approach, confirmed whether we are
adopting a controls or a substantive approach for each audit objective, and assessed the risk of significant misstatement
based on the results of our Control Evaluation procedures. [5003]
We plan and perform substantive procedures to be responsive to our assessment of the risk of significant misstatement
(RoSM). [5103]
Substantive procedures are performed in order to detect significant misstatements at the assertion level and include
substantive analytical procedures and tests of details of classes of transactions, account balances, and disclosures. [3790.4]

For audit objectives that are associated with an assertion level fraud risk or for which we have

! assessed RoSM as high, our substantive procedures include tests of details, or a combination of
tests of details and substantive analytical procedures, that are specifically responsive to the
assessed risks. Substantive analytical procedures alone do not provide sufficient appropriate
audit evidence for such audit objectives. [5107]

We plan our substantive procedures, based on our RoSM assessment, using the following guidelines:

RoSM Assessment 1

Approach/Assessment Low Moderate High

Substantive analytical X X
procedures only may be
appropriate 2

Tests of details required 2 X

1 Refer to the RoSM Matrix in the Control Evaluation chapter for guidance on how each of the risk of significant
misstatements assessments is arrived at.
2 It may be necessary to perform a combination of substantive analytical procedures and tests of details to obtain sufficient
appropriate audit evidence.

We consider the sufficiency and appropriateness of the audit evidence we plan to obtain from

! substantive analytical procedures, in the context of our assessment of the risk of significant
misstatement, before deciding whether it is appropriate to perform tests of details. [5402.1]

5.2. Substantive Procedures


Regardless of the assessed levels of risk of significant misstatement, we perform substantive procedures including
substantive analytical procedures, tests of details, or both for all relevant assertions. [5119]

5.3. Nature, Timing, and Extent of Substantive Procedures


When deciding on the nature, timing, and extent of substantive audit procedures, we consider the following: [5013]

• the characteristics of a particular class of transactions; for example, the volume of transactions in
the reporting period, the nature and magnitude of the account balance or disclosure, and the
assertions covered by the audit objective

• risks identified during Planning

• the risk of significant misstatement


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• the nature of specific controls (manual or automated) and whether we expect to obtain audit
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
evidence on operating effectiveness of those controls, and
Page 93 / 133
• whether there is a risk of fraud.
the reporting period, the nature and magnitude of the account balance or disclosure, and the
assertions covered by the audit objective

• risks identified during Planning International Audit Workbook (Interntional Audit Workbook)

• the risk of significant misstatement

• the nature of specific controls (manual or automated) and whether we expect to obtain audit
evidence on operating effectiveness of those controls, and

• whether there is a risk of fraud.


We consider whether we have sufficient appropriate audit evidence for all relevant assertions. [5014]
For example, we may obtain audit evidence for the completeness of sales and receivables principally through tests of
controls and substantive analytical procedures and obtain audit evidence about the existence and occurrence, and accuracy
of sales and receivables by performing substantive procedures, such as a confirmation of balances or tests on subsequent
cash receipts.

5.3.1 Nature
The nature of substantive audit procedures refers to either substantive analytical procedures or tests of details. [5121]
We exercise judgment in selecting the appropriate combination of substantive procedures in response to the risk of
significant misstatement. Substantive analytical procedures may or may not provide us with all the audit evidence necessary
to respond to the risk of significant misstatement assessment for an audit objective. Tests of details may also be required.
[5133.9.6]
The nature of substantive procedures is illustrated below:

5.3.2 Timing
The timing of substantive audit procedures refers to when audit procedures are performed or the period or date to which
the audit evidence applies. [5135]

Timing Consideration
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Period-end The higher the risk of significant misstatement, the more likely it is that we decide it
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
is more effective to perform substantive procedures nearer to, or at, the period-end
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
rather than at an earlier date, or to perform audit procedures unannounced or at
Page 94 / 133
unpredictable times. [5138]
The timing of substantive audit procedures refers to when audit procedures are performed or the period or date to which
the audit evidence applies. [5135]
International Audit Workbook (Interntional Audit Workbook)

Timing Consideration

Period-end The higher the risk of significant misstatement, the more likely it is that we decide it
is more effective to perform substantive procedures nearer to, or at, the period-end
rather than at an earlier date, or to perform audit procedures unannounced or at
unpredictable times. [5138]
Certain substantive procedures can be or may be performed only at or after period-
end. [5141]
For example, agreeing or reconciling the financial statements with the accounting
records and examining adjustments made during the course of preparing the
financial statements.

Prior to period-end When substantive procedures are performed at an interim date, the risk that
misstatements may exist at the period-end and are not detected increases. This risk
increases as the remaining period is lengthened. [5150]
If we perform substantive procedures prior to period-end, we consider the additional
audit evidence required for the remaining period. [5151]

5.3.3 Extent
The extent of an audit procedure includes the quantity of a specific audit procedure to be performed. [5160]
For example, a sample size for a test of details or the number of observations of a control activity.
We increase the extent of our audit procedures if we assess the risk of significant misstatement at a higher level. [5162]
The use of CAATs may enable more extensive testing of electronic transactions and account files. Such techniques can be
used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an
entire population instead of a sample. [5163.1]

5.4. Substantive Analytical Procedures


Substantive analytical procedures consist of the evaluation of financial information through a study of plausible relationships
among both financial and nonfinancial data. They also encompass the investigation of identified fluctuations and
relationships that are seemingly inconsistent with other relevant information or deviate significantly from predicted amounts.
[5300.1]

When designing substantive analytical procedures, we assess whether an expectation can be developed with
sufficient precision to identify a significant misstatement at the desired level of assurance. Factors impacting the
precision of a substantive analytical procedure include:

• nature of the account and its predictability

• the degree to which information can be disaggregated

• availability and reliability of the data, both financial and nonfinancial

• nature and relevance of the information

• the type of procedure used.


We use our judgment to consider whether the precision of the procedure is appropriate given the desired level of
audit evidence. [9199]

Substantive analytical procedures are appropriate when: [5124]

• data can be disaggregated and tested to an appropriate level where persuasive audit evidence
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
can be obtained
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• procedures are performed on large volumes of transactions that tend to be predictable over time
Page 95 / 133
• plausible relationships exist that are sufficiently stable and predictive for us to achieve the
We use our judgment to consider whether the precision of the procedure is appropriate given the desired level of
audit evidence. [9199]

International when:
Substantive analytical procedures are appropriate Audit Workbook
[5124](Interntional Audit Workbook)

• data can be disaggregated and tested to an appropriate level where persuasive audit evidence
can be obtained

• procedures are performed on large volumes of transactions that tend to be predictable over time

• plausible relationships exist that are sufficiently stable and predictive for us to achieve the
required precision when forming our expectation

• an expectation can be developed with sufficient precision to identify a significant misstatement at


the desired level of assurance, and

• prior period knowledge indicates that such analysis can be effective.


When performing substantive analytical procedures, we: [5300.2]

Procedure Considerations

Determine audit objectives Effectively designed substantive analytical procedures may provide audit evidence as
and significant account to the following assertions related to significant accounts and disclosures:
balance(s)/disclosure(s)
and consider whether C, E, A, V
planned substantive Prior to designing or performing substantive analytical procedures, we consider the
analytical procedures will suitability of using substantive analytical procedures given the assertion and the
provide the desired level of desired level of assurance.
assurance
In determining the suitability of substantive analytical procedures, we consider:
[5303]

• the nature of the account or disclosure

• the assessment of the risk of significant misstatement (RoSM)

• the risk of management override, and

• whether an expectation can be developed with sufficient


precision to identify a material misstatement at the desired level
of assurance.

Consider factors impacting When designing substantive analytical procedures to respond to RoSM assessment
precision associated with an audit objective, we assess whether an expectation can be
developed with sufficient precision to identify a significant misstatement at the
desired level of assurance.
Factors impacting the precision of a substantive analytical procedure include: [5318]

• the predictability of relationships between data

• the degree to which information can be disaggregated

• the availability and reliability of data and information, both


financial and nonfinancial

• the type of procedure used.


The amount of audit evidence derived from a substantive analytical procedure varies
with its precision. Generally, the more precise the procedure, the more persuasive
the audit evidence obtained. [5319]

Identify key factors and key We develop expectations based on our understanding of the key factors and key
relationships impacting an relationships that impact an account balance or disclosure. [5322]
account/disclosure and set
expectation(s) Key factors are often the common drivers of a number of the relationships in the
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
financial statements and are frequently the same factors that management may
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
consider in preparing budgets, forecasts, or financial reports. These factors may be
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
either financial or nonfinancial. [5323]
Page 96 / 133
Key relationships usually tie the key factors to account balances or disclosures within
the audit evidence obtained. [5319]

Identify key factors and key We developInternational


expectations based on(Interntional
Audit Workbook our understanding of the key factors and key
Audit Workbook)
relationships impacting an relationships that impact an account balance or disclosure. [5322]
account/disclosure and set
expectation(s) Key factors are often the common drivers of a number of the relationships in the
financial statements and are frequently the same factors that management may
consider in preparing budgets, forecasts, or financial reports. These factors may be
either financial or nonfinancial. [5323]
Key relationships usually tie the key factors to account balances or disclosures within
the financial statements or represent interrelationships between financial statement
captions. [5324]
For example, the number of employees is the key factor and the average salary per
employee the key relationship underlying an entity's annual salary expense.
When information produced by the entity is used in setting the expectation, we obtain
audit evidence about the accuracy and completeness of that information. This may be
obtained by either evaluating the design and operating effectiveness of controls over
the production and maintenance of both financial and nonfinancial information used
in the substantive analytical procedure, or by performing other procedures to support
the completeness and accuracy of the underlying information. [5328]
When considering management information such as budgets or forecasts in
developing our expectation(s), we obtain an understanding of the process used by
management in producing these budgets/forecasts. [5329]
Where our expectation(s) is developed based on the results of inquiries of
management, we corroborate this information prior to relying on the results of
substantive analytical procedures. [5330]

Set acceptable difference

! We design each substantive analytical procedure so that its precision results in


an acceptable difference of not more than the significant misstatement threshold.
[5336]
We consider using an acceptable difference that is lower than the significant
misstatement threshold when we have a moderate or high level of risk of significant
misstatement. [5337]
We use our judgment to adjust the precision of the substantive analytical procedure
such that the acceptable difference is a reasonable percentage of the total balance
that is subject to the substantive analytical procedure. [5338]
For example, where the balance of the significant account is only just above
the significant misstatement threshold we may use our judgment and set an
acceptable difference lower than the significant misstatement threshold.

Compare recorded amount We evaluate the results of the substantive analytical procedure by comparing the
with expectation entity's recorded amount to our expectation. When the entity's recorded amount falls
within the acceptable difference around our expectation, the procedure is complete
and we have obtained the audit evidence we planned to obtain from the procedure.
[5342.1]

Investigate difference that When the entity's recorded amount falls outside the range of acceptable difference
falls outside range of around our expectation, we investigate the reason for the difference. [5342.2]
acceptable difference
The investigation of a difference that falls outside the range of acceptable difference
around our expectation ordinarily consists of the following:

• inquiries of management
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• corroborating managements explanation, and
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• where appropriate, redesign the substantive analytical
procedure to take into account additional information. [5343.1] Page 97 / 133
falls outside range of around our expectation, we investigate the reason for the difference. [5342.2]
acceptable difference
The investigation of a difference that falls outside the range of acceptable difference
around ourInternational
expectation Auditordinarily
Workbook (Interntional
consists ofAudit
theWorkbook)
following:

• inquiries of management

• corroborating managements explanation, and

• where appropriate, redesign the substantive analytical


procedure to take into account additional information. [5343.1]
Where investigation of the difference identifies that all or a portion of the difference
is due to client error and we can quantify this error, we include the error on the
Summary of Audit Differences, where this equals or exceeds the audit difference
posting threshold. Where management provides a reasonable and valid explanation
for any difference remaining after identification of an error, we corroborate
management's explanation and where appropriate, redesign the substantive
analytical procedure to take into account this additional information. [5344.1]
Where management is unable to provide a reasonable and valid explanation for all or
a portion of the difference or management's explanation cannot be corroborated, we
reconsider our audit approach as we have not been able to obtain the audit evidence
we planned from the substantive analytical procedure. [5344.2]

Revise expectation and Where reasonable and valid explanations have been provided by management as to
acceptable difference, if why the recorded amount falls outside the range of acceptable difference and we
appropriate, and compare have been able to corroborate the explanation, we consider revising our expectation
revised expectation with and acceptable difference, where appropriate, to take into consideration the
recorded amount. additional information provided by management. [5345.1]

We document the performance of substantive analytical procedures and our conclusion in the Substantive Analytical
Procedure Template or in the working papers. [5353.1/5354]

Example substantive analytical procedures as well as example completed Substantive Analytical


Procedures Templates and spreadsheets supporting the completed templates for interest
expense, depreciation expense, and payroll expense are available on ARO and can also be
accessed from the Global Assurance Practice Page.

Substantive analytical procedures - fraud


Substantive analytical procedures alone do not provide sufficient appropriate audit evidence where a risk of management
override of controls has been identified. Where a risk of management override exists, management may have allowed
adjustments outside the normal period-end financial reporting process to have been made to the financial statements. Such
adjustments might have resulted in artificial changes to the financial statement relationships being analyzed, causing us to
draw erroneous conclusions. For this reason, substantive analytical procedures alone are not well suited to detecting fraud,
and we perform tests of journal entries. The tests of journal entries are documented in the audit objectives 3 and 5 of the
Financial Reporting Audit Program. [5313]

Possible fraud Circumstances


indicators

Difference is higher than Where a significant account balance is inherently predictable and we are able to
the acceptable difference develop a precise expectation, therefore our acceptable difference is small,
regardless of the assessed RoSM, a difference higher than the acceptable difference
may be indicative of fraud or error and require further investigation. [5340]

Management is unable to Where management is unable to provide a reasonable and valid explanation for all or
provide a reasonable and a portion of the difference or management's explanation cannot be corroborated, we
valid explanation for the reconsider our audit approach as we have not been able to obtain the audit evidence
difference or we planned from the substantive analytical procedure. This situation may be
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
management's explanation indicative of fraud and require further investigation and additional procedures.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
cannot be corroborated [5344.2]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 98 / 133
5.5. Tests of Details
Management is unable to Where management is unable to provide a reasonable and valid explanation for all or
provide a reasonable and a portion ofInternational
the difference or management's
Audit Workbook explanation
(Interntional Audit Workbook) cannot be corroborated, we
valid explanation for the reconsider our audit approach as we have not been able to obtain the audit evidence
difference or we planned from the substantive analytical procedure. This situation may be
management's explanation indicative of fraud and require further investigation and additional procedures.
cannot be corroborated [5344.2]

5.5. Tests of Details


Tests of details are the application of one or more various techniques, such as inspection of records or documents,
inspection of tangible assets, inquiry, observation, confirmation, recalculation, or reperformance to individual items or
transactions that constitute a class of transaction, account balance derived from an estimate, other account balance, or
disclosure. [5010]
When performing tests of details, we: [5404.1]

Define the population When defining the population, we consider the following: [5407]

• we do not sample from a population to conclude on the


completeness of that population, because omitted items have no
chance of selection

• we define the population appropriate for the objective of the


substantive sampling procedure, which will include consideration
of the direction of the testing
For example, if the objective is to test the completeness of accounts
payable, the population is not the accounts payable listing but rather
subsequent disbursements, unpaid invoices, suppliers' statements,
unmatched receiving reports, or other populations that provide audit
evidence of the completeness of accounts payable listing. Therefore, we
select our sample from the source documents in order to test the
completeness of the accounts payable listing.

• we may be able to advance the effectiveness of our audit


procedures by subdividing and/or stratifying the population and
performing different tests for each subdivision
For example, inventory may include both purchased and manufactured
items. It may be difficult to audit the cost of manufactured items without
examining each component (material, labor, and overhead) separately,
while we may audit purchased items by reference to a single unit price.

• the period covered is important for tests of details applied to


classes of transactions.
Our conclusion does not relate to the entire period unless the items for the
test of details are selected from a population that covers the entire period.

Define what constitutes an We define what constitutes a difference requiring investigation and follow-up. Typical
audit difference requiring reasons for differences are: [5409]
investigation and follow-up
• differences in timing of the recording of transactions

For example, items included in the wrong period.

• differences in classification

For example, maintenance expense coded to an asset account.

• differences in amounts for data captured or processed.

For example, transposed digits or other numerical errors.


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Choose selection methods When performing tests of details, we may choose to: [5011]
for testing Page 99 / 133
• test the entire population
For example, maintenance expense coded to an asset account.
International Audit Workbook (Interntional Audit Workbook)
• differences in amounts for data captured or processed.

For example, transposed digits or other numerical errors.

Choose selection methods When performing tests of details, we may choose to: [5011]
for testing
• test the entire population

• select items with specific characteristics for testing

• select a sample by using KPMG Monetary Unit Sampling (MUS),


the KPMG Sampling Plan, or other substantive sampling
techniques with the involvement of a KPMG sampling specialist.

Methods of Examples of when it may be Considerations


selection appropriate to apply this method of
selection

Entire population For example, it may be appropriate to test


everything when the population consists of a
small number of large value items, when the
risk of significant misstatement is high, and
when other means do not provide sufficient
appropriate audit evidence.
For example, it may also be appropriate to
test everything when the repetitive nature of
a calculation or other process performed
automatically by an information system
makes it cost effective, for example, through
the use of CAATs.

Specific item testing For example, identifying items that meet Selecting specific items is likely to be more
certain criteria, such as amounts that are effective when any of the following are true:
greater than the significant misstatement [5415]
threshold, inventory items that have not
moved for more than six months, or accounts • we assess the risk of
receivable that are older than three months. significant misstatement as
low and we already have
For example, we may select items that are audit evidence from
suspicious, unusual, risk prone, or that have substantive analytical
a history of being misstated, for example procedures for the population
foreign currency transactions. being tested

• the population contains a


small number of individually
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
significant items
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• the population mainly
contains nonroutine Page 100 / 133
For example, we may select items that are audit evidence from
suspicious, unusual, risk prone, or that have substantive analytical
a history of being misstated, for example procedures for the population
foreign currencyInternational Audit Workbook (Interntional Audit Workbook)
transactions. being tested

• the population contains a


small number of individually
significant items

• the population mainly


contains nonroutine
transactions or accounting
estimates

• we identified a risk of fraud


and we apply our audit
procedures to items with
specific characteristics.
When we select key items for testing, we
still need to obtain sufficient appropriate
audit evidence relevant to the remaining
population when that remaining population is
considered significant. We use judgment to
determine whether the remaining population
is considered significant. [5425]
To select specific items, we may use
scanning. Scanning includes searching for
large or unusual items in the accounting
records (for example, nonstandard journal
entries), as well as in transaction data (for
example, suspense accounts, adjusting
journal entries) for indications of
misstatements that have occurred. Since we
test the items selected by scanning, we
obtain audit evidence about those items. Our
scanning also may provide some audit
evidence about the items not selected since
we have used professional judgment to
determine that the items not selected are
less likely to be misstated. [5421.2]

Substantive sampling For example, if the population contains a Substantive sampling is likely to be more
large number of items, substantive sampling effective when any of the following are true:
is likely to be more effective. [5415]

• we assess the risk of


significant misstatement as
high and have no audit
evidence from substantive
analytical procedures

• the population mainly


contains routine transactions.
KPMG Substantive Sampling Techniques
are appropriate: [5505]

• for audit objectives relevant


to existence and occurrence,
accuracy, valuation and
obligations, and rights
assertions

• when there are many items in


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
the population
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• when the expected difference
Page 101 / 133
in the population is less than
• for audit objectives relevant
to existence and occurrence,
accuracy, valuation and
International Audit Workbook (Interntional Audit Workbook)
obligations, and rights
assertions

• when there are many items in


the population

• when the expected difference


in the population is less than
the significant misstatement
threshold.

When we perform tests of details using a specific items approach, our audit findings relate only

! to those specific items. If we identify audit differences in auditing the specific items, those audit
differences are known audit differences and are not extrapolated to, or projected over, the
entire population from which the specific items were selected. [5424]

The existence of differences in specific items selected for testing may be indicative of audit

! differences in the remainder of the population. We consider the characteristics of the audit
difference identified and the characteristics of the remaining population when determining the
nature, timing, and extent of any additional procedures to be performed on the remaining
population. [5424]

In determining which selection method to use, we may determine that items in the population

! with certain characteristics have a higher risk of intentional misstatement due to fraud and thus,
selecting specific items to test is likely to be more effective in addressing the fraud risk than
selecting a representative sample.

An IRM specialist may assist the engagement team in planning and performing tests of details.
These may include reperformance techniques such as CAATs or in-built report writing tools.
[5404]

For each relevant assertion associated with an assertion level fraud risk, we: [3743.1]

! • evaluate the design and implementation of antifraud controls that are


relevant to the identified fraud risk and consider the risk of management
override of such controls

• test the operating effectiveness of selected assertion level controls when


we plan to rely on the operating effectiveness of controls to modify the
nature, timing, or extent of our substantive procedures, and

• perform substantive procedures including tests of details.


The use of the KPMG MUS or the KPMG Sampling Plan may not be the most effective approach
when performing substantive tests of details to address the risk of fraud because misstatements
due to fraud are ordinarily not distributed randomly throughout the population. Consequently, we
usually perform substantive sampling techniques in combination with specific items testing.
[5526.1]

5.6. Computer Assisted Audit Techniques


Using Computer Assisted Audit Techniques (CAATs) to perform audit procedures may enhance the audit process by
facilitating faster and more extensive review and analysis of large data populations. CAATs provide the ability to analyze
complete populations of data; to profile, extract, and summarize items based on specific characteristics; and to apply
selected preprogrammed routines that can be used during Substantive Testing in the performance of: [5467]

• substantive analytical procedures


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• tests of details of transactions and balances
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• extracting data for audit testing, and/or

• reperforming calculations performed by the entity's accounting systems. Page 102 / 133
Using Computer Assisted Audit Techniques (CAATs) to perform audit procedures may enhance the audit process by
facilitating faster and more extensive review and analysis of large data populations. CAATs provide the ability to analyze
complete populations of data; to profile, extract, and summarize items based on specific characteristics; and to apply
selected preprogrammed routines that can International
be usedAudit Workbook
during (Interntional
Substantive Audit Workbook)
Testing in the performance of: [5467]

• substantive analytical procedures

• tests of details of transactions and balances

• extracting data for audit testing, and/or

• reperforming calculations performed by the entity's accounting systems.


IDEA® is a technology tool for applying CAATs to perform data analysis procedures. IDEA® may be used to read, display,
sample, and extract data from client data files. In addition to the standard functionality of the application, KPMG has
developed preprogrammed routines based on commonly employed audit procedures. IDEA® Smart Analyzer Routines have
been developed for the areas of accounts receivable, inventory, journal entries, fixed assets, and accounts payable. KPMG
Monetary Unit Sampling is also performed using the platform of IDEA®. [5466]
Example routines that are available in Smart Analyzer are as follows:

Accounts receivable • Aging by due date/invoice date


routines
• Debtors with total amount greater than credit limit

• Debtors with net credit balances

Journal entry routines • Duplicate or missing journal entries

• Out-of-balance journal entries

• Journal entries by user

Inventory routines • Zero or negative unit cost

• Negative quantity on hand

• Last sales price lower than unit cost

Fixed assets routines • Recalculate straight line depreciation

• Depreciation exceeding cost

• Fixed assets duplicate field search

Accounts payable routines • Duplicate invoices or payments

• Invoices without purchase order numbers

• Creditors with net debit balances

IDEA CAATs can help make an SE or VSE engagement more effective.

5.7. Substantive Sampling Techniques


This section provides guidance on the planning, selection, and evaluation of procedures using Substantive Sampling
Techniques when performing tests of details. [5502]

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 103 / 133


International Audit Workbook (Interntional Audit Workbook)

When we apply substantive sampling, we use one of the following KPMG substantive sampling techniques: [5521]

• KPMG Monetary Unit Sampling (KPMG MUS).


KPMG MUS is a statistical sampling technique with a selection probability that is proportionate to the size of an item
in the population and statistically projects audit differences discovered in sample items.

• KPMG Sampling Plan.


The KPMG Sampling Plan is a nonstatistical sampling approach. We select samples using a haphazard method.
We may use other substantive sampling techniques with the involvement of a KPMG Sampling Specialist. [5521.1]

We consider the involvement of KPMG sampling specialists in the following circumstances:

! [5696]

• the engagement team plans to use MUS sample items for other than a
substantive audit procedure

• substantive sampling is used for financial statement audits which require


confidence levels that are different from those stated at KAM 5569

• engagement team plans to use MUS in selecting items from complex


populations such as those involving multiple locations

• engagement team plans to use substantive sampling techniques other


than those outlined in the KAM section titled, “KPMG Substantive Sampling
Techniques”

• engagement team will use specific tolerable deviation rates, expected


error rates, and/or confidence levels to be achieved with an attribute
sample, or

• engagement team plans to use substantive sample in selecting items as a


basis for forming a statistical conclusion expressed in a special report,
attestation engagement other than a financial statement audit, or for
performing and reporting on an agreed-upon procedures engagement.
The list of scenarios above is not meant to be exhaustive.

The engagement partner uses judgment as to the knowledge and experience of the engagement team to consider whether
involvement of a KPMG sampling specialist is appropriate. [5697]

The KPMG MUS Document and Test of Details Document, both available on ALex, have been
updated to incorporate the revisions to KAM relating to consultation considerations involving
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
KPMG sampling specialists.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

The main features of the KPMG substantive sampling techniques are illustrated in the following table: [5522] Page 104 / 133
The engagement partner uses judgment as to the knowledge and experience of the engagement team to consider whether
involvement of a KPMG sampling specialist is appropriate. [5697]
International Audit Workbook (Interntional Audit Workbook)

The KPMG MUS Document and Test of Details Document, both available on ALex, have been
updated to incorporate the revisions to KAM relating to consultation considerations involving
KPMG sampling specialists.

The main features of the KPMG substantive sampling techniques are illustrated in the following table: [5522]

KPMG Monetary Unit Sampling (KPMG KPMG Sampling Plan


MUS)

Type Statistical Nonstatistical

Attributes Monetary attribute selection probability Selection is haphazard and selection


proportionate to the size of an item probability is not proportionate to the size of
an item

Stratification of Stratification is inherent in the procedure Stratification is necessary to reduce the


population sample size

Sample size Sample size is smaller than the KPMG Sample size is larger than the KPMG
Sampling Plan Monetary Unit Sampling technique
KPMG MUS does not have sample size KPMG Sampling Plan for tests of details is
limitations usually only efficient and effective for sample
sizes greater than 5

Expandability of the Sample size may be expanded to increase Sample size is increased when the most
sample size the precision of the projected results likely audit difference is larger than one-sixth
(1/6) but not more than one-half (1/2) of the
significant misstatement threshold

Significant items The planned sampling interval indicates the The KPMG Sampling Plan indicates the
monetary amount above which items are monetary amount above which items are
individually significant individually significant. This amount may be
increased not to exceed the significant
misstatement threshold

Item selection Value weighted random selection of items Haphazard selection of items

Enabling tool KPMG Monetary Unit Sampling Routine in KPMG Sampling Plan Excel template (plan
IDEA® (plan, select, and evaluate) and evaluate)

KPMG MUS may be more effective and efficient than the KPMG Sampling Plan. KPMG MUS
provides a smaller sample size and more robust results than the KPMG Sampling Plan.
Also, if we plan to apply KPMG MUS, it is not necessary to identify individually significant items.
The identification of such items is embedded in the process of selection of sample items.
Manual identification of significant items when using the KPMG Sampling Plan requires care as it
is susceptible to manual errors.

Use of the KPMG MUS or KPMG Sampling Plan may not be the most effective approach when

! performing substantive tests of details to address the risk of fraud because misstatements due to
fraud are not ordinarily distributed randomly throughout the population. If the KPMG MUS or the
KPMG Sampling Plan is used, it is usually performed in combination with a specific items testing.
[5526.1]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
We use professional judgment to determine the appropriate criteria (e.g., specific days, number
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
of entries by user, amount) to select journal entries for further evaluation. This process may
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
include combining results for the different selection criteria in order to determine the journal
entries to be tested. [5416.6.1] Page 105 / 133
The identification of such items is embedded in the process of selection of sample items.
Manual identification of significant items when using the KPMG Sampling Plan requires care as it
is susceptible to manual errors. Audit Workbook (Interntional Audit Workbook)
International

Use of the KPMG MUS or KPMG Sampling Plan may not be the most effective approach when

! performing substantive tests of details to address the risk of fraud because misstatements due to
fraud are not ordinarily distributed randomly throughout the population. If the KPMG MUS or the
KPMG Sampling Plan is used, it is usually performed in combination with a specific items testing.
[5526.1]
We use professional judgment to determine the appropriate criteria (e.g., specific days, number
of entries by user, amount) to select journal entries for further evaluation. This process may
include combining results for the different selection criteria in order to determine the journal
entries to be tested. [5416.6.1]

The use of the KPMG substantive sampling techniques is illustrated in the following decision tree: [5525]

Substantive sampling alone is inappropriate for testing completeness. Other procedures, such as

! substantive analytical procedures, are performed to test for completeness. [5511]


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 106 / 133


Please refer to the KPMG Monetary Unit Sampling Routines User Guide - International and the
International Audit Workbook (Interntional Audit Workbook)

Substantive sampling alone is inappropriate for testing completeness. Other procedures, such as

! substantive analytical procedures, are performed to test for completeness. [5511]

Please refer to the KPMG Monetary Unit Sampling Routines User Guide - International and the
KSP Practice Aide, which are available on ARO for specific guidance related to the use of these
substantive sampling techniques.

KPMG Sampling Plan - sample size factors


If we have a population where many individual items are relatively large compared to the significant misstatement
threshold, and a threshold of the significant misstatement threshold has been used for determining individually significant
items, then it is possible that the sample size calculated may exceed the number of items in the population.
This is because the KPMG Sampling Plan does not consider the number of items in a population. [5663.03]

In this case, we establish the threshold for individually significant items at significant
misstatement threshold divided by the sample size factor, which is referred to as the most
efficient monetary amount in the KPMG Sampling Plan. [5663.03]

5.7.1 Anomalous audit differences

An anomalous audit difference is an extremely rare occurrence that arises from an isolated and nonrecurring
event and therefore is not representative of the population. [5625.3.2], [5694.12]

If we determine that an audit difference is an anomaly (i.e., the difference in the sample causes the sample to be
unrepresentative of the population), we: [5625.3.2], [5694.12]

• plan and perform audit procedures to obtain additional audit evidence that provides a high
degree of certainty that the audit difference does not affect the remainder of the population,

• exclude the anomalous audit difference from the projection, and

• consider whether to increase test work on the remainder of the population.


When using KPMG Monetary Unit Sampling we also recalculate the total upper precision limit and most likely audit
difference.

We do not project an anomalous audit difference to the sampled population. [5625.3.1],

! [5694.11]

The KPMG MUS Document and Test of Details Document, both available on ALex, have been
updated to incorporate the revisions to KAM relating to anomalous audit differences.

5.7.2 Substantive attribute sampling


This section provides guidance on substantive attribute sampling techniques when testing attributes for tests of details.
[5694.14]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
The main considerations when using attribute sampling are summarized in the table below:
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Appropriate Inappropriate Page 107 / 133


5.7.2 Substantive attribute sampling
International Audit Workbook (Interntional Audit Workbook)
This section provides guidance on substantive attribute sampling techniques when testing attributes for tests of details.
[5694.14]
The main considerations when using attribute sampling are summarized in the table below:

Appropriate Inappropriate

Tests directed at underlying data (assumptions) Tests directed at monetary values

Substantive testing Tests of controls

Substantive sampling Monetary values are assigned to each unit within


the population subject to the test to allow for a
MUS or KSP sample

Substantive attribute sampling may be appropriate in those situations where non financial data is used by management to
calculate or derive a financial amount that is included in the financial information of an entity and the purpose of the test is
to conclude on the existence and/or accuracy of the data (i.e., the attribute). [5694.14.2]
Attribute data may be provided to an external expert or included in a model for developing an estimate. Often such
situations arise where management develops estimates such as pension liabilities, claim reserves, and warranties, among
others. [5694.14.2]
The following table illustrates the minimum sample sizes for substantive attribute sampling: [5694.18]

Risk of significant Audit evidence obtained from substantive procedures other than sampling
misstatement
Little or None Moderate Extensive

Low 25 NA NA

Moderate 40 25 NA

High 65 50 NA

We may consider increasing the sample from the minimum sample size outlined above based on
judgment considering the following factors: [5694.17]

• the results of audit procedures performed in previous periods relative to


the attributes

• the sensitivity of the attribute to error, and

• the relationship of the attribute to the estimate or disclosure subject to


testing.
We also consider the impact of an error for an attribute(s) subject to testing when designing our
tests.
We consult with a sampling specialist to assist in determining an appropriate sample size when
an engagement team expects to achieve certain tolerable deviation rates, expected error rates,
and/or confidence levels with an attribute sample. [5694.20]

The sample sizes included in the table above are based on expectation that no errors will be detected in the sample.
Therefore when no errors are discovered during testing, we conclude that the test objective is achieved. [5694.19]

If we find an error in our sample, we: [5694.19]

!
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• investigate the nature and cause of the error including the impact of such
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
error(s) to the estimate or disclosure,

• discuss the error(s) discovered with management and if applicable, others Page 108 / 133
such as external experts and internal KPMG specialists, and
The sample sizes included in the table above are based on expectation that no errors will be detected in the sample.
Therefore when no errors are discovered during testing, we conclude that the test objective is achieved. [5694.19]
International Audit Workbook (Interntional Audit Workbook)

If we find an error in our sample, we: [5694.19]

! •


investigate the nature and cause of the error including the impact of such
error(s) to the estimate or disclosure,
discuss the error(s) discovered with management and if applicable, others
such as external experts and internal KPMG specialists, and

• depending on the nature and cause of the error(s) discovered, we


determine the nature and extent of additional audit procedures to
perform.

When substantive attribute sampling is used in the audit examination of items, judgment may
involve consideration of the relationship between the attribute being tested and the ultimate
monetary errors in the financial statements, as well as the amount of monetary error that would
lead to a material misstatement.
The evaluation of the monetary impact may be difficult and require the client to perform further
analysis of the data. [5694.16]

5.8. External Confirmations


We determine whether the use of external confirmations is necessary to obtain sufficient appropriate audit evidence at the
assertion level. In making this determination, we should consider RoSM, and how the audit evidence from other planned
audit procedures will reduce the RoSM to an acceptably low level. [5790.1]
When designing external confirmations, we consider the following: [5714]

The control we exercise We maintain control over the confirmation procedures by: [5725]
over confirmation requests
and responses • controlling the selection process

• sending out the confirmation requests ourselves (for example,


direct drop at the post office); we do not use the client's mail
service facilities

• ensuring that the requests are properly addressed

• requesting all replies to be sent directly back to us, and

• considering whether replies have come from the purported


senders.
Control minimizes the possibility that the results will be biased because of the
interception and alteration of confirmation requests or responses. [5724]

Any restrictions included in When we seek to confirm certain balances or other information, and management
the response or imposed requests us not to do so, we should consider whether there are valid grounds for
by management such a request and obtain audit evidence to support the validity of management's
requests. If we agree to management's request not to seek external confirmation
regarding a particular matter, we should apply alternative audit procedures to obtain
sufficient appropriate audit evidence regarding that matter. [5745]
When we consider the reasons provided by management, we apply an attitude of
professional skepticism and consider whether: [5746]

• the request has any implications regarding management's


integrity

• management's request may indicate the possible existence of


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
fraud or error, and
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• the alternative procedures will provide sufficient appropriate
Page 109 / 133
audit evidence regarding this matter.
When we consider the reasons provided by management, we apply an attitude of
professional skepticism and consider whether: [5746]

• the requestAudit
International has Workbook
any implications
(Interntionalregarding management's
Audit Workbook)
integrity

• management's request may indicate the possible existence of


fraud or error, and

• the alternative procedures will provide sufficient appropriate


audit evidence regarding this matter.

The assertions being The assertion that is being addressed will determine the type of confirmation that is
addressed prepared. For example, if the engagement team is testing the completeness
assertion with respect to a liability, then suppliers with zero or low balances may be
selected and the confirmation designed for the suppliers to provide the outstanding
balance. In this case, you are trying to determine if there are items missing from the
liability account.
We consider other audit procedures to complement confirmation procedures or to be
used instead of confirmation procedures, for assertions not adequately addressed by
confirmations. [5753]

The form of the request A positive external confirmation requests the respondent to reply to the auditor in all
cases, either by indicating agreement with the given information, or to fill in
information. [5759]
A response to a positive confirmation request is usually expected to provide reliable
audit evidence. However, there is a risk that a respondent may reply to the
confirmation request without verifying that the information is correct. We can reduce
this risk by not stating the amount (or other information) on the confirmation request,
but instead ask the respondent to fill in the amount or furnish other information. This
may result in lower response rates, because additional effort is required of the
respondents. [5760]
A negative external confirmation requests the respondent to reply only in the event of
disagreement with the information provided in the request. [5764]
However, if no response has been received, there will be no explicit audit evidence
that intended third parties have received the requests and verified that the
information is correct. Accordingly, negative confirmation requests usually provide
less reliable audit evidence than positive confirmation requests, and we usually do
not use them as a primary source of audit evidence. [5765]
Negative confirmation requests may reduce the risk of significant misstatement to an
acceptable level when: [5767]

• the risk of significant misstatement is low

• we test a large number of small balances

• we do not expect a substantial number of errors, and/or

• there is no reason to believe that respondents will disregard the


requests.

The nature of the The type of information that we request may affect the response rate and nature of
information being the evidence obtained as respondents may not always be able to confirm certain
confirmed types of information.
The balance of certain loans and leases may be difficult to confirm. Instead, the
confirmation may be designed to confirm the original balance, monthly payment,
term, etc. For suppliers or customers, it may be easier to confirm a single invoice
rather than the entire amount outstanding.

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
We take appropriate follow-up action for nonresponding accounts; consider second and,
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
sometimes, third requests (oral or written); and if appropriate, perform alternative audit
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
procedures. [5727]
Page 110 / 133
For example, for receivables, compare to subsequent cash receipts, if they can be specifically
confirmation may be designed to confirm the original balance, monthly payment,
term, etc. For suppliers or customers, it may be easier to confirm a single invoice
rather than the entire amount outstanding.
International Audit Workbook (Interntional Audit Workbook)

We take appropriate follow-up action for nonresponding accounts; consider second and,
sometimes, third requests (oral or written); and if appropriate, perform alternative audit
procedures. [5727]
For example, for receivables, compare to subsequent cash receipts, if they can be specifically
identified to items outstanding at the confirmation date, and/or customer purchase orders and
shipping documents.

We ordinarily confirm the following:

• bank balances, including: [5782]


- bank balances (including those held by "licensed deposit takers" or similar financial
institutions) at the period-end.
- the entity's "main" bank accounts and those accounts expected to have balances at period-
end that are greater than the significant misstatement threshold
- guarantees and financial instruments (including derivatives) with banks with whom we
confirm "main" bank accounts, to obtain audit evidence relevant to the appropriate disclosure
and presentation of guarantees and financial instruments, and
We may confirm other guarantees and financial instruments (including derivatives) with other third parties. [5784]

• trade receivables balances (including balances with related parties). [5791]


We ordinarily also confirm the terms of the transaction and other key information, which may affect the accounting
for the transaction. [5795]
For example, rights of return, allowances and rebates, special agreements, payment terms, etc.
We also consider obtaining external confirmations for: [5708.1]

• loans from lenders

• related-party transactions

• terms of sales contracts (for revenue recognition)

• inventories held by third parties at bonded warehouses for processing or on consignment

• property title deeds held by lawyers for safe custody or as security

• investments purchased from stockbrokers but not delivered at the period-end date

• payables balances, and

• unusual or complex transactions.


Interntional Audit Workbook

Chapter 6 - Completion
The objective of Completion is to form an audit opinion.
Before we form an audit opinion, the engagement team: [6001.2]

• performs and documents results of audit procedures performed during Completion

• evaluates on an overall basis the results of audit procedures performed and findings for audit
objectives associated with significant risks, including the risk of fraud

• evaluates significant findings and issues resulting from the audit, actions taken to address them
(including additional evidence obtained), and the basis for the conclusions reached. Significant
findings and issues are matters that are important to the procedures performed, evidence
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
obtained, or conclusions reached.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• evaluates independence and ethical issues, and
Page 111 / 133
• forms an audit opinion after reviewing the financial statements and evaluating all audit findings.
• evaluates on an overall basis the results of audit procedures performed and findings for audit
objectives associated with significant risks, including the risk of fraud
International Audit Workbook (Interntional Audit Workbook)
• evaluates significant findings and issues resulting from the audit, actions taken to address them
(including additional evidence obtained), and the basis for the conclusions reached. Significant
findings and issues are matters that are important to the procedures performed, evidence
obtained, or conclusions reached.

• evaluates independence and ethical issues, and

• forms an audit opinion after reviewing the financial statements and evaluating all audit findings.
Completion is described in the following chart:

6.1. Performing Completion Procedures


Before our auditor's report is issued, the engagement partner, through review of the audit documentation and discussion
with the engagement team, should be satisfied that sufficient appropriate audit evidence has been obtained to support the
conclusions reached and the auditor's report to be issued. [6030]
This is accomplished by performing the following procedures:

• evaluating audit evidence

• performing an overall review of the financial statements

• updating specific topic inquiries

• performing a final evaluation of audit results for specific topics and subsequent events, and

• obtaining management representations and considering any implications.

6.1.1 Evaluating Audit Evidence


Based on the audit procedures performed and the audit evidence obtained, we evaluate the following:

• whether the assessments of the risks of material misstatement at the assertion level (RoSM)
remain appropriate

• whether sufficient appropriate audit evidence has been obtained to reduce to an acceptably low
level the risk of material misstatement in the financial statements.
In developing an opinion, we consider all relevant audit evidence, regardless of whether it appears to corroborate or to
contradict the assertions in the financial statements. [6042]

Sufficiency is the measure of the quantity of audit evidence. The quantity of the audit evidence necessary is
affected by the risk of misstatement and also by the quality of such audit evidence.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
Appropriateness is the measure of the quality of evidence, that is, its relevance and reliability in providing support
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
for, or detecting misstatements in, the classes of transactions, account balances derived from estimates, other
account balances and disclosures, and related assertion. Page 112 / 133
In developing an opinion, we consider all relevant audit evidence, regardless of whether it appears to corroborate or to
contradict the assertions in the financial statements. [6042]
International Audit Workbook (Interntional Audit Workbook)

Sufficiency is the measure of the quantity of audit evidence. The quantity of the audit evidence necessary is
affected by the risk of misstatement and also by the quality of such audit evidence.
Appropriateness is the measure of the quality of evidence, that is, its relevance and reliability in providing support
for, or detecting misstatements in, the classes of transactions, account balances derived from estimates, other
account balances and disclosures, and related assertion.

Our judgment as to what constitutes sufficient appropriate audit evidence is influenced by such factors as the following:
[6044]

• significance of the potential misstatement in the assertion and the likelihood of its having a
material effect, individually or aggregated with other potential misstatements, on the financial
statements

• effectiveness of management's responses and controls to address the risks

• experience gained during previous audits with respect to similar potential misstatements

• results of audit procedures performed, including whether such audit procedures identified specific
instances of fraud or error

• source and reliability of the available information

• persuasiveness of the audit evidence, and/or

• understanding of the entity and its environment, including its internal control.
If we have not obtained sufficient appropriate audit evidence as to a material financial statement assertion, we should
attempt to obtain further audit evidence. [6047]
If we are unable to obtain sufficient appropriate audit evidence, we should express a qualified opinion or a disclaimer of
opinion. [6048]

6.1.2 Overall Review of the Financial Statements


We perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related
disclosures, are in accordance with the applicable financial reporting framework. [6052]
The results of our procedures may lead us to recommend changes in the financial statements, including presentation or
disclosure, make additional inquiries, perform other procedures, or modify our opinion. [6058]
In forming an opinion as to whether the financial statements give a true and fair view or are presented fairly, in all material
respects, in accordance with the applicable financial reporting framework, we evaluate whether the financial statements
have been prepared and presented in accordance with the specific requirements of the applicable financial reporting
framework for particular classes of transactions, account balances derived from estimates, other account balances, and
disclosures. This evaluation includes considering whether, in the context of the applicable financial reporting framework:
[6055.1]

• accounting policies selected and applied are consistent with the financial reporting framework
and are appropriate in the circumstances

• accounting estimates made by management are reasonable in the circumstances

• information presented in the financial statements, including accounting policies, is relevant,


reliable, comparable, and understandable, and

• the financial statements provide sufficient disclosures to enable users to understand the effect of
material transactions and events on the information conveyed in the financial statements.
Such sufficient disclosures relate to the form, arrangement, and content of the financial statements and their appended
notes, including, for example, the terminology used, the amount of detail given, the classification of items in the statements,
and the bases of amounts set forth.
We prepare or review a reconciliation of amounts audited in the working papers to the amounts reported in the financial
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
statements to provide a trail from the financial statements to the audit procedures performed.[6056]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
We conduct our overall review of the financial statements in the context of our understanding of the entity's applicable
financial reporting framework for accounting policies applied by the entity and within the industry. [6057] Page 113 / 133
material transactions and events on the information conveyed in the financial statements.
Such sufficient disclosures relate to the form, arrangement, and content of the financial statements and their appended
notes, including, for example, the terminology used, the amount of detail given, the classification of items in the statements,
International Audit Workbook (Interntional Audit Workbook)
and the bases of amounts set forth.
We prepare or review a reconciliation of amounts audited in the working papers to the amounts reported in the financial
statements to provide a trail from the financial statements to the audit procedures performed.[6056]
We conduct our overall review of the financial statements in the context of our understanding of the entity's applicable
financial reporting framework for accounting policies applied by the entity and within the industry. [6057]
In addition to our evaluation of the audit evidence for audit objectives, we perform the following procedures:

Final analytical procedures


We perform analytical procedures at or near the completion of the audit to: [6073]

• determine whether there are any previously unidentified risks of material misstatement, whether
due to error or fraud

• identify any significant accounts or disclosures that were identified as nonsignificant during
Planning, and

• supplement our overall review of the financial statements.


If we determine that an account or disclosure initially identified as nonsignificant during Planning is significant at period-end,
we obtain sufficient appropriate audit evidence to support the significant account or disclosure.[6073.1]
The conclusions drawn from the results of such audit procedures are intended to corroborate conclusions formed during the
audit of individual components or elements of the financial statements and assist in arriving at the overall conclusions as to
the reasonableness of the financial statements. [6063]

Supplementary information and other information

Supplementary information is information that is presented together with the financial statements that is not
required by the applicable financial reporting framework used to prepare the financial statements, normally
presented in either supplementary schedules or as additional notes. [9260]

We should be satisfied that any supplementary information presented together with the financial statements that is not
covered by our opinion is clearly differentiated from the audited financial statements. [6078.1]

Other information is financial or nonfinancial information (other than the financial statements or the auditor's
report thereon) included-either by law or custom-in a document containing audited financial statements. An
example of such a document is the annual report.
Unless required by statute or contractual obligation, we have no obligation to report specifically on other
information included in an annual report or similar document. [9196]

We document the identification of supplementary or other information that is presented together with the audited financial
statements or that is identified as other information by other jurisdictions as well as any significant matters arising from the
reading of such information and other procedures required by some jurisdictions and the resolution of such matters in the
Completion Document. [6077.0.1]

6.1.3 Specific Topic Inquiries


During Planning, we make inquiries of management, of those charged with governance, and of others within the entity as
appropriate, regarding fraud and other specific topics.
During Completion, we update these inquiries.

The timing and extent of updated inquiries is determined by the engagement team based on the

! entity's specific circumstances. [7375]


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
For example, for a private entity audit, it may be appropriate to conduct inquiries during Planning
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
with a brief update with some or all of the client interviewees shortly before the date of our audit
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
report.
Page 114 / 133
For example, for a public entity audit, it may be appropriate to conduct inquiries during Planning,
appropriate, regarding fraud and other specific topics.
During Completion, we update these inquiries.
International Audit Workbook (Interntional Audit Workbook)

The timing and extent of updated inquiries is determined by the engagement team based on the

! entity's specific circumstances. [7375]


For example, for a private entity audit, it may be appropriate to conduct inquiries during Planning
with a brief update with some or all of the client interviewees shortly before the date of our audit
report.
For example, for a public entity audit, it may be appropriate to conduct inquiries during Planning,
conduct additional interviews during each interim review, and update some or all of the
interviews shortly before the date of our audit report.

If as a result of our inquiries, we identify new financial statement level/assertion level risks relevant to specific topics, we
document these risks and how we addressed them. [6123]

6.1.4 Final Evaluation of Audit Results for Specific Topics and Subsequent Events
During Completion, we perform audit procedures, in order to evaluate the results of procedures performed in the audit,
including those related to specific topics, to fraud and to subsequent events, to determine if our previous assessments of
our responses to risks related to such matters should be modified. [6125]
This evaluation is primarily qualitative and based on our judgment. Such an evaluation may provide further insight about the
risks of significant misstatement due to fraud, other Specific Topics and subsequent events, and whether there is a need to
perform additional or different audit procedures. [6126]
Based on the audit procedures performed and the audit evidence obtained, we evaluate whether the assessments of the
risk of significant misstatement at the assertion level remain appropriate. Such an evaluation may provide further insight
about the risks of material misstatement due to fraud and whether there is a need to perform additional or different audit
procedures. As part of this evaluation, we consider whether there has been appropriate communication with other
engagement team members throughout the audit regarding information or conditions indicative of risk of material
misstatement due to fraud.[7369.1]
When we confirm that, or are unable to conclude whether, the financial statements are materially misstated as a result of
fraud, we should consider the implications for the audit. [7370]
We perform sufficient procedures to confirm or dispel a suspicion that the financial statements are materially misstated due
to fraud. If we are not able to dispel such suspicion, we consider the effect on our report and follow applicable local
consultation protocols. [7371]
We specifically consider whether the following may be indicative of fraud and investigate and perform additional procedures
as appropriate:[6006]

• conditions or information gained throughout the audit

• analytical procedures performed on period-end data

• corrected and uncorrected audit differences, as well as any omissions or other errors in
presentation and disclosure summarized in the Summary of Audit Differences.

6.1.5 Management Representations


Management representations are statements management makes to us during the course of the audit concerning matters
relating to the financial statements. They may be: [8171.1]

• oral or written

• formal or informal

• unsolicited or in response to specific inquiries.

We include audit evidence of management's representations in our working papers. [8172]

!
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 115 / 133


The engagement team needs to determine that the appropriate standard management
• formal or informal

• unsolicited or in response to specific inquiries.


International Audit Workbook (Interntional Audit Workbook)

We include audit evidence of management's representations in our working papers. [8172]

!
The engagement team needs to determine that the appropriate standard management
representation letter template is used and that the template is appropriately customized to the
entity's circumstances.

6.2. Audit Objectives Associated with Significant Risks


We document the audit objectives that include relevant assertions associated with significant risks of error and fraud risks in
the Completion Document in order to support our overall evaluation. We use the information documented in the related
working papers for these audit objectives. After providing a brief description of the audit objective and the assessed risk of
significant misstatement, we provide a summary of our audit approach including the findings derived from our audit
procedures and our conclusions. [6144]

Audit objectives associated with significant risks include all audit objectives where the inherent risk assessment
for error is "significant" or where a risk of fraud has been identified for the audit objective. [6146]

The engagement partner and an engagement manager review audit documentation relating to audit objectives associated
with significant risks. The extent of review of such audit documentation by the engagement partner and manager is a
matter of professional judgment determined by the engagement partner. [6145]
We evaluate the audit evidence obtained and consider whether it is sufficient and appropriate to form our audit opinion. We
consider relevant audit evidence regardless of whether it confirms or refutes assertions in the financial statements. [6149]

The engagement team ensures that all audit objectives that include relevant assertions
associated with significant risks of error and fraud risks that are documented in the Planning
Matrix are also included in the Completion Document.

6.3. Significant Findings and Issues

Significant findings or issues are substantive matters that are important to the procedures performed, evidence
obtained, or conclusions reached. [9240]

We document significant findings and issues; actions taken to address them, including additional evidence obtained; and the
basis for the conclusions reached in connection with each audit engagement. [6152]
The engagement partner determines which findings and issues are significant to our audit. Such findings and issues are
documented in the Completion Document. [6155]

By summarizing the results of our audit work and conclusions for all significant findings and
issues by topic rather than by audit objectives, we have an opportunity to identify trends and
management bias that may be indicated by these findings and issues.

The engagement partner and an engagement manager review all audit documentation relating to significant findings and
issues. [6154]
Significant findings and issues include, but are not limited to, the matters described below. [6153]

6.3.1 Significant Findings and Issues Identified During a Review of Interim Financial
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Information
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
We document significant findings and issues identified during the review of interim financial information and the effect on
Page 116 / 133
our audit approach in the annual audit. [6157]
The engagement partner and an engagement manager review all audit documentation relating to significant findings and
issues. [6154]
Significant findings and issues include, but are not Audit
International limited to, the(Interntional
Workbook matters Audit
described below. [6153]
Workbook)

6.3.1 Significant Findings and Issues Identified During a Review of Interim Financial
Information
We document significant findings and issues identified during the review of interim financial information and the effect on
our audit approach in the annual audit. [6157]

6.3.2 Significant Matters Involving the Selection, Application, and Consistency of


Accounting Principles, Including Related Disclosures
Significant matters involving the selection, application, and consistency of accounting principles, including related
disclosures, include, but are not limited to, accounting for complex or unusual transactions, accounting estimates, and
uncertainties as well as related management assumptions. [6160]

6.3.3 Disagreements within the Engagement Team and with Those Consulted
Where differences of opinion arise within the engagement team, with those consulted and, where applicable, between the
engagement partner and the engagement quality control reviewer, the engagement team should follow the firm's policies
and procedures for dealing with and resolving differences of opinion. [6286]
If a difference of opinion is initially identified, but is later resolved to the satisfaction of all parties involved, such as through
additional discussion, research, or consultation or through new or revised facts, it is not necessary to document the initially
identified matter as a difference of opinion. However, it may be appropriate to document the conclusions reached on the
matter elsewhere in the working papers. [6288.1]
In the event of differences of opinion, we do not release the report until the matter is resolved and documented. [2811.1]

6.3.4 Significant Difficulties in Applying Audit Procedures


Difficulties in applying audit procedures may arise when: [6296]

• we receive an inadequate number of responses to our external confirmations and to our follow-
up requests

• the reliability of the entity's IT systems is questionable

• the entity has limited documentation of internal controls over its financial reporting processes

• limited information is available to perform substantive tests on certain audit objectives, such as
accounting estimates

• there are problems in obtaining timely information from the client, and/or

• access to client personnel is limited or client personnel are not cooperative in facilitating the audit
process.
If we encounter significant difficulties in applying our audit procedures, we resolve the difficulties and document the
rationale used to resolve those significant difficulties. In resolving such difficulties, we consider modifying our audit strategy
and the planned audit procedures, which may include increasing our assessment of the risk of significant misstatement for
certain audit objectives. [6297]
If we are not able to overcome such difficulties by performing alternative audit procedures and we do not obtain sufficient
appropriate audit evidence, we consider the impact on our audit report and modify the report accordingly. Further guidance
on modifications to our report is included in the International Standards Report Manual. [6299]

6.3.5 Matters That Resulted in or Could Have Resulted in a Modification of Our Report
We document the significant matters that resulted in or could have resulted in the modification of our report in the
Completion Document. We also document, if applicable, how we have resolved the matter(s) that could have resulted in a
modification to our report, as well as the rationale for modifying or for not modifying our report. [6302]
Our report is considered to be modified in the following situations: [6302.1]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
• matters that do not affect our audit opinion (unless local laws, regulations, and professional
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
standards do not enable the auditor to modify the auditor's report)
Page 117 / 133
- unqualified opinion with an emphasis of matter paragraph (in some countries these matters
We document the significant matters that resulted in or could have resulted in the modification of our report in the
Completion Document. We also document, if applicable,
International how we(Interntional
Audit Workbook have resolved the matter(s) that could have resulted in a
Audit Workbook)
modification to our report, as well as the rationale for modifying or for not modifying our report. [6302]
Our report is considered to be modified in the following situations: [6302.1]

• matters that do not affect our audit opinion (unless local laws, regulations, and professional
standards do not enable the auditor to modify the auditor's report)
- unqualified opinion with an emphasis of matter paragraph (in some countries these matters
are not considered as a modification of the auditor's report)

• matters that affect our audit opinion


- qualified opinion
- disclaimer of opinion, and
- adverse opinion.
Guidance regarding modifications of our report is included in the International Standards Reports Manual, which can be
found on ARO. [6302.2]

6.3.6 Consultation within KPMG and with Others Outside KPMG


During the audit, we may encounter situations that require consultation, both formal and informal, with other professionals
within KPMG. [6304]
Consultation may include consultation within the KPMG member firm, with other KPMG member firms, or other KPMG
resources. If the issue has not been satisfactorily resolved after consultation with all relevant KPMG resources, KPMG
member firms may determine that it is necessary to consult with others outside of KPMG. Before any such consultation,
member firms satisfy themselves that all KPMG resources have been consulted. The approval of an appropriate partner or
their designees within the KPMG member firm, such as the risk management partner, the local professional practice
partner, or the member firm's senior partner is obtained. A record of such consultation and approval is maintained.
[6310.3]
The engagement partner should: [6305]

• be responsible for the engagement team undertaking appropriate consultation on difficult or


contentious matters

• be satisfied that members of the engagement team have undertaken appropriate consultation
during the course of the engagement, both within the engagement team and between the
engagement team and others at the appropriate level within or outside the firm

• be satisfied that the nature and scope of, and conclusions resulting from, such consultations are
documented and agreed with the party consulted, and

• determine that conclusions resulting from consultations have been implemented.


The engagement team documents consultations with other KPMG professionals that involve difficult or contentious matters
to enable an understanding of: [6309]

• the issue on which consultation was sought; and

• the results of the consultation, including any decisions taken, the basis for those decisions, and
how they were implemented.
We provide relevant documentation of the consultation to the professionals we have consulted and ask them to: [6310]

• indicate that they concur with the conclusions reached by the engagement team, and

• confirm that documentation includes a factual representation of the matters considered and the
conclusions reached.

6.3.7 Discussion of Significant Findings and Issues (Including Significant Risks) with
Management and Others
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
When we discuss significant findings or issues (including matters that give rise to significant risks) with management and
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
others, we document on a timely basis the discussions in our working papers. [6313.5]
Page 118 / 133
Others with whom we may discuss significant findings or issues include those charged with governance, other personnel
• confirm that documentation includes a factual representation of the matters considered and the
conclusions reached.
International Audit Workbook (Interntional Audit Workbook)
6.3.7 Discussion of Significant Findings and Issues (Including Significant Risks) with
Management and Others
When we discuss significant findings or issues (including matters that give rise to significant risks) with management and
others, we document on a timely basis the discussions in our working papers. [6313.5]
Others with whom we may discuss significant findings or issues include those charged with governance, other personnel
within the entity, and external parties, such as persons providing professional advice to the entity. [6313.6]

6.3.8 Contradictory of Inconsistent Information with Our Final Conclusion


If we have identified information that contradicts or is inconsistent with our final conclusion regarding a significant matter,
we should document how we addressed the contradiction or inconsistency in forming the final conclusion. [6313.10]
We do not retain documentation that is incorrect or superseded (except pursuant to the local firm's document retention
policy). [6313.12]

6.3.9 Disagreements with Management


We document disagreements with management about matters that, individually or in the aggregate, could be significant to
the entity's financial statements or our report. [6313.14]

6.4. Results of Audit Procedures


We document the results of audit procedures performed, including: [6162]

• a need for revisions, if any, to materiality for planning purposes

• significant modifications of audit strategy and planned audit procedures, including significant
changes in the assessed level of the risk of significant misstatement for audit objectives

• material weaknesses and other deficiencies in internal control over financial reporting that had a
significant effect on our audit approach, and

• the existence of material misstatements or omissions in the financial statements, including


related disclosures, and other audit adjustments.

Materiality for planning Our determination of MPP often is based on estimates of the entity's financial results,
purposes because the actual financial results may not yet be known. Therefore, prior to
evaluating the sufficiency and appropriateness of audit evidence and the effect of
uncorrected misstatements on our audit, it may be necessary to revise MPP based on
actual financial results. We would, however, expect MPP used in planning and
performing our audit to be no greater than materiality used in evaluating the effect of
misstatements on the financial statements. [3154]
Additionally, MPP is revised during the course of conducting the audit in the event we
become aware of information that would have significantly modified MPP determined
during planning. When such events cause a significant revision of MPP, we consider
whether further audit procedures need to be performed in order to obtain sufficient
appropriate audit evidence on which to base our opinion. [3152] [3153]
When a change in circumstances causes us to revise MPP downward from the
amount determined during planning, we: [3177]

• revise downward the related SMT(s)

• determine whether further audit procedures need to be


performed to obtain sufficient appropriate audit evidence, and

• revise the audit difference posting threshold accordingly, or


document why it is not necessary to revise the audit difference
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
posting threshold.
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
We document the revised MPP, SMT, and ADPT in the Completion Document.
Page 119 / 133
Significant modifications of Significant modifications to our audit strategy may result from: [6179]
• revise downward the related SMT(s)

• determine whether further audit procedures need to be


International Audit
performed Workbook
to obtain (Interntional
sufficient Audit Workbook)
appropriate audit evidence, and

• revise the audit difference posting threshold accordingly, or


document why it is not necessary to revise the audit difference
posting threshold.
We document the revised MPP, SMT, and ADPT in the Completion Document.

Significant modifications of Significant modifications to our audit strategy may result from: [6179]
audit strategy and planned
audit procedures • unexpected events, changes in conditions, or audit evidence
obtained during the course of the audit

• the identification of financial statement level risks that occurred


after we determined our audit strategy during Planning

• the identification of significant accounts and disclosures that


were initially identified as nonsignificant during Planning

• revisions to materiality for planning purposes

• changes in the timing of our audit procedures

• changes in responsibilities of engagement team members,


including KPMG specialists, and/or

• changes in the involvement of others.


As a result of unexpected events, changes in conditions, or evidence obtained from
our audit procedures, we may modify our audit plan and thereby the resulting
planned nature, timing, and extent of further audit procedures. Information may
come to our attention that differs significantly from the information available when
we planned the audit procedures. [6183]
For example, we may obtain audit evidence through the performance of substantive
procedures that contradicts the audit evidence obtained with respect to the testing of
the operating effectiveness of controls.
In such circumstances, we reevaluate the planned audit procedures based on the
revised consideration of assessed risks at the assertion level for all or some of the
classes of transactions, account balances derived from estimates, other account
balances, or disclosures. [6184]

Material weaknesses and We analyze and evaluate all exceptions discovered in internal control over financial
other deficiencies in reporting to determine whether they represent deficiencies. [4793.3]
internal control over
financial reporting A control deficiency may consist of either a design or an operating deficiency. A
design deficiency exists when either a necessary control is missing or an existing
control is not properly designed so that even when the control is operating as
designed, the control objective is not always met. An operating deficiency exists
when a properly designed control either is not operating as designed or the person
performing the control does not possess the necessary authority or qualifications to
perform the control effectively. [6189]
Material weaknesses in internal control are control deficiencies that could have a
material effect on the financial statements. [6191]
When we identify deficiencies in internal control over financial reporting, we make a
determination as to whether these control deficiencies, individually or in combination,
represent material weaknesses. [6191.1]
We document the material weaknesses and other deficiencies in internal control over
financial reporting that have a significant effect on our audit approach in the
Completion Document. For each material weakness or other deficiency, we describe
the deficiency, the related audit objective, and the effect on our audit approach.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Additionally, we document the specific members of management and/or those
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
charged with governance to whom the deficiency was communicated and the form of
communication, whether in writing or orally. [6201] Page 120 / 133
determination as to whether these control deficiencies, individually or in combination,
represent material weaknesses. [6191.1]
We document the material
International weaknesses
Audit Workbook andAudit
(Interntional other deficiencies in internal control over
Workbook)
financial reporting that have a significant effect on our audit approach in the
Completion Document. For each material weakness or other deficiency, we describe
the deficiency, the related audit objective, and the effect on our audit approach.
Additionally, we document the specific members of management and/or those
charged with governance to whom the deficiency was communicated and the form of
communication, whether in writing or orally. [6201]

Material misstatements or Misstatements in the financial statements can arise from error or fraud. The primary
omissions in the financial factor that distinguishes fraud from error is whether the underlying cause (action that
statements results in the audit difference) is intentional or unintentional. [6204]
Misstatements may include: [6204.2]

• unrecorded audit differences,

• audit differences corrected by the entity, or

• uncorrected and corrected omissions or other errors in financial


statement presentation and disclosure.

An audit difference is an audit finding in which we do not agree with the amount or classification of items or totals
in the income statement or balance sheet. [9029]

6.4.1 Materiality of Misstatements


We consider whether uncorrected audit differences are material, individually or in the aggregate, to the financial statements
taken as a whole. [6212]
In evaluating the effect of uncorrected audit differences, we consider the following factors: [6215]

• the significance of an item to the financial statements of a particular entity, such as inventories to
a manufacturing company

• the relative size of the misstatement compared with the financial statements taken as a whole
and the factual context in which the user of the financial statements would view the financial
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
statement item containing the misstatement
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• the number of financial statement captions affected, such as whether the potential misstatement
Page 121 / 133
affects the amounts and presentation of many financial statement captions
In evaluating the effect of uncorrected audit differences, we consider the following factors: [6215]

• the significance of an item to the financial statements of a particular entity, such as inventories to
a manufacturing company International Audit Workbook (Interntional Audit Workbook)

• the relative size of the misstatement compared with the financial statements taken as a whole
and the factual context in which the user of the financial statements would view the financial
statement item containing the misstatement

• the number of financial statement captions affected, such as whether the potential misstatement
affects the amounts and presentation of many financial statement captions

• the likelihood that undetected misstatements, when considered with the aggregate uncorrected
misstatements, could exceed materiality

• the nature and cause of each misstatement, including a consideration of whether the
misstatement may indicate the possible existence of fraud

• whether the misstatements indicate a pattern. If a pattern appears to exist, we consider whether
to apply audit procedures specifically to detect other similar differences.
In making materiality judgments, individually and in the aggregate, we consider: [6213]

• both quantitative and qualitative factors, and

• the results of our assessment of the risk of material misstatements due to fraud and error.

6.4.2 Methods Used in Evaluating Uncorrected Audit Differences


There are three general methods that have developed in practice that can be used to evaluate the effect of uncorrected
audit differences. These three methods are the income statement method (also referred to as the "rollover method"), the
balance sheet method (also referred to as the "iron curtain method"), and the dual method, which entails the quantification
of uncorrected misstatements using both the income statement and balance sheet methods with adjustments required if
either method results in an error that is material. [6223.1]
We document the method used in evaluating uncorrected audit differences in the Summary of Audit Differences. [6223.2]
The income statement method (rollover method) considers the effect of uncorrected prior-period audit differences primarily
from an income statement perspective. Under the income statement method, uncorrected audit differences are quantified
as the amount by which the current period income statement is misstated after considering the reversing and correcting
effects of uncorrected prior-period audit differences. Uncorrected audit differences are classified into two types: (1) those
uncorrected audit differences that originated in a prior period and reverse or are corrected in the current period and (2)
those uncorrected audit differences that originated in the current period. The effect of uncorrected prior-period audit
differences that reverse or that are corrected by management in the current period are considered in evaluating the effect
on the current period's operating results when determining whether the uncorrected audit differences materially misstate
the current period's operating results. That is, the reversing or correcting impact of uncorrected prior-period audit
differences adjusted in the current period is aggregated with uncorrected audit differences that originated in the current
period. [6227]
The balance sheet method (iron curtain method) considers the effect of uncorrected prior-period audit differences primarily
from a balance sheet perspective. Under the balance sheet method, uncorrected audit differences are quantified as the
amount that would have to be recorded to correct the error in the period-end balance sheet. Uncorrected prior-period audit
differences that reverse or are corrected by management in the current period are not considered in quantifying the amount
by which the current period's financial statements are misstated. The aggregate uncorrected audit differences for the
current period include uncorrected prior period audit differences that either have not been corrected by management or
have not reversed in the current period as well as uncorrected audit differences that originated in the current period. Again,
the emphasis is from a balance sheet perspective; the uncorrected audit differences comprise those adjustments that would
be required to properly reflect the balance sheet at period-end. [6229]
Under the dual method, the quantification of each individual uncorrected misstatement is evaluated under both the income
statement ("rollover") and balance sheet ("iron curtain") methods. [6229.2]
In most cases, the more significant misstatement identified, when assessed under the balance sheet and the income
statement methods, requires a more detailed evaluation and consideration. However, in some instances, because of
qualitative factors to be considered, the lesser of the two methods may be more important when evaluating materiality.
[6229.3]
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
Quantification under both methods is to be determined, and consideration given to relevant quantitative and qualitative
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
factors in reaching a conclusion on the materiality of the misstatements. [6229.4]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Once we have considered each individual error, we evaluate the effect of uncorrected errors in the aggregate. Under Page
the122 / 133
dual method, we evaluate the total error using the balance sheet method ("iron curtain") and the total error using the
statement ("rollover") and balance sheet ("iron curtain") methods. [6229.2]
In most cases, the more significant misstatement identified, when assessed under the balance sheet and the income
statement methods, requires a more detailed evaluation
International and consideration.
Audit Workbook However,
(Interntional Audit Workbook)in some instances, because of
qualitative factors to be considered, the lesser of the two methods may be more important when evaluating materiality.
[6229.3]
Quantification under both methods is to be determined, and consideration given to relevant quantitative and qualitative
factors in reaching a conclusion on the materiality of the misstatements. [6229.4]
Once we have considered each individual error, we evaluate the effect of uncorrected errors in the aggregate. Under the
dual method, we evaluate the total error using the balance sheet method ("iron curtain") and the total error using the
income statement method ("rollover") not by combining the "higher of" amount associated with each individual uncorrected
misstatement. [6229.7]

Change in methods
We use a consistent method from period to period when evaluating uncorrected audit differences for all accounts and for all
periods subject to our audit. [6231]
The following table summarizes the alternatives available when the engagement team is considering a change in methods
of evaluating uncorrected audit differences. [6231.1, 6231.2, 6231.3]

Current period proposed method

Method used in prior period IS method BS method Dual method

Income statement (IS) May use May use


method

Balance sheet (BS) method Not appropriate May use

Dual method Not appropriate Not appropriate

We consult the risk management partner when a change in methods for evaluating uncorrected audit differences is
contemplated, and the change affects our conclusion on the materiality of audit differences. [6232]

The method used may be predetermined by local auditing standards.


Communication in the interoffice instructions of the method to be used facilitates consistent use
of a single method by all participating offices in a multilocation engagement.

6.4.3 Consider the Fraud and Earnings Management Implications of Audit Differences
When we identify a misstatement, we should consider whether such a misstatement may be indicative of fraud, and if there
is such an indication, we should consider the implications of the misstatement in relation to other aspects of the audit,
particularly the reliability of management representations. [6236]
If our audit findings indicate possible fraud, we also consider the potential effect, including whether the audit differences
resulted from an attempt to manage earnings. [6241]
Earnings management includes the recording of accounting entries, without any event to justify the accounting, to alter
results if the perceived motivation is to conform to the user's expectations. Earnings management may also include the
failure to record or correctly record transactions for that same purpose. [6242]
We consider all corrected and uncorrected misstatements arising from the audit to determine if they occurred as a result of
one or more control deficiencies. [6243.1]

6.4.4 The Summary of Audit Differences


We accumulate in the Summary of Audit Differences identified misstatements, including audit differences and omissions and
other errors. We include all corrected and uncorrected audit differences when such misstatements are equal to or greater
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
than the audit difference posting threshold. If an audit difference is qualitatively significant but is below the audit difference
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
posting threshold, it is included in the Summary of Audit Differences. [6245]
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
These misstatements are reflected in the Summary of Audit Differences as follows: [6204.3]
Page 123 / 133
6.4.4 The Summary of Audit Differences
International Audit Workbook (Interntional Audit Workbook)
We accumulate in the Summary of Audit Differences identified misstatements, including audit differences and omissions and
other errors. We include all corrected and uncorrected audit differences when such misstatements are equal to or greater
than the audit difference posting threshold. If an audit difference is qualitatively significant but is below the audit difference
posting threshold, it is included in the Summary of Audit Differences. [6245]
These misstatements are reflected in the Summary of Audit Differences as follows: [6204.3]

• Schedule 1 - Summary of Uncorrected Audit Differences

• Schedule 2 - Summary of Corrected Audit Differences, and

• Schedule 3 - Summary of Omissions and Other Errors in Presentation and Disclosure.


We complete either Schedule 1A, Schedule 1B or Schedule 1C based on the method used in evaluating uncorrected audit
differences as follows: [6247.1]

• Schedule 1A - Dual method

• Schedule 1B - Rollover (income statement) method

• Schedule 1C - Iron curtain (balance sheet) method.

6.4.5 Audit Differences and Audit Difference Posting Thresholds

The audit difference posting threshold (ADPT) is determined during Planning and documented in
the Planning Document. When a change in circumstances causes us to revise MPP downward
from the amount determined at planning, we revise the ADPT accordingly, or document why it is
not necessary to revise the ADPT. We document the revised ADPT, or the rationale for not
revising the ADPT when MPP is revised downward, in the Completion Document.

Audit differences detected below the audit difference posting threshold need not be summarized in the Summary of Audit
Differences, and the relevant working paper is annotated to indicate that the difference is considered clearly trivial.
However, we consider their qualitative aspects. The qualitative consideration of such clearly trivial audit differences is
usually limited to a consideration of whether such audit differences:

• relate to a related party or transactions with a related party

• may indicate the possible existence of fraud, or

• individually or in the aggregate may be indicators of control deficiencies.

If an amount is considered qualitatively significant but is below the audit difference posting
threshold, it is included in the Summary of Audit Differences as an audit difference.

6.4.6 Omissions or Other Errors in Financial Statement Presentation and Disclosure

An omission or other error is an audit finding in which we do not agree with the presentation or disclosure (or
omission) of an item in the financial statements, including the related notes. [9189]

Schedule 3 includes omissions or other errors in the notes to the financial statements and in the statement of shareholders'
equity. Schedule 3 may also include other omissions and errors such as nonquantitative errors or omissions in the income
statement, balance sheet, or statement of cash flows, such as erroneous descriptions. [6271.1]

In an SE or VSE engagement, the engagement team often works closely with the entity in determining the
presentation and disclosure in the financial statements. In such cases, all omissions and other errors in financial
statement presentation and disclosure that have not been corrected and are not "de miminis" are included in
Schedule 3. The engagement team uses its judgment as to whether corrected omissions and errors are also
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
included on Schedule 3.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 124 / 133


6.4.7 Consider How Management Deals with Misstatements
statement, balance sheet, or statement of cash flows, such as erroneous descriptions. [6271.1]

In an SE or VSE engagement, the engagement team


International Auditoften works
Workbook closely Audit
(Interntional with Workbook)
the entity in determining the
presentation and disclosure in the financial statements. In such cases, all omissions and other errors in financial
statement presentation and disclosure that have not been corrected and are not "de miminis" are included in
Schedule 3. The engagement team uses its judgment as to whether corrected omissions and errors are also
included on Schedule 3.

6.4.7 Consider How Management Deals with Misstatements


We discuss identified misstatements with management. We expect management to correct the financial statements for
identified material misstatements, including known audit differences and most likely audit differences. [6275]
Management may be reluctant to correct most likely audit differences, such as projected audit differences arising from the
use of sampling methods. In such instances, we may consider obtaining additional audit evidence from further audit
procedures to encourage management to correct those audit differences. [6276]
If management refuses to adjust the financial statements and the results of extended audit procedures do not enable us to
conclude that the aggregate of uncorrected misstatements is not material, we should consider the appropriate modification
to our report in accordance with ISA 701, "Modifications to the Independent Auditor's Report" [6277]
If after our discussions with management, there remain uncorrected audit differences on Schedule 1 or uncorrected
omissions or other errors in presentation and disclosure on Schedule 3 of the Summary of Audit Differences, we document
on such schedule(s) the member of management with whom we discussed such uncorrected items. [6279.1]

6.4.8 Communicating Misstatements


We communicate misstatements-whether or not they are recorded by the entity-that have, or could have, a significant effect
on the entity's financial statements to the relevant persons who are charged with governance. This communication includes
the misstatements as documented in Schedules 1, 2, and 3 of the Summary of Audit Differences. [6282]

We may communicate Schedules 1, 2, and 3 as follows: [6282.0.1]

! •

provide a copy of the Schedules that are included in our working papers
provide a written summary of the information on the Schedules (e.g.,
aggregate numerous small audit differences), or

• orally communicate the substance of the information included on the


schedules.
We document how the communication was accomplished.

6.4.9 Other Significant Findings and Issues


Other significant matters are those specific findings and issues that are considered significant to the audit that are not
otherwise addressed above.

6.5. Independence and Ethical Issues

We initially address independence and ethical requirements during the client/engagement


acceptance/continuance process. In the Completion Document, we document all independence
and ethical issues that may have arisen in connection with the engagement and how such issues
were resolved.

The engagement partner should form a conclusion on compliance with independence requirements that apply to the audit
engagement. In doing so, the engagement partner should: [6315]

• obtain relevant information from the firm and, where applicable, network firms to identify and
evaluate circumstances and relationships that create threats to independence
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
• evaluate information on identified breaches, if any, of the firm's independence policies and
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
procedures to determine whether they create a threat to independence for the audit engagement

• take appropriate action to eliminate such threats or reduce them to an acceptable level by Page 125 / 133
applying safeguards. The engagement partner should promptly report to the firm any failure to
The engagement partner should form a conclusion on compliance with independence requirements that apply to the audit
engagement. In doing so, the engagement partner should: [6315]
International Audit Workbook (Interntional Audit Workbook)
• obtain relevant information from the firm and, where applicable, network firms to identify and
evaluate circumstances and relationships that create threats to independence

• evaluate information on identified breaches, if any, of the firm's independence policies and
procedures to determine whether they create a threat to independence for the audit engagement

• take appropriate action to eliminate such threats or reduce them to an acceptable level by
applying safeguards. The engagement partner should promptly report to the firm any failure to
resolve the matter for appropriate action, and

• document conclusions on independence and any relevant discussions with the firm that support
these conclusions.
The engagement partner should consider whether members of the engagement team have complied with ethical
requirements. [6316]

6.5.1 Forming Our Audit Opinion


We evaluate the audit evidence obtained and consider whether it is sufficient and appropriate to form an audit opinion. We
consider relevant audit evidence regardless of whether it confirms or refutes assertions in the financial statements. [6330]
If we conclude that the audit evidence is sufficient and appropriate to form an opinion, we evaluate whether the financial
statements are free of a material misstatement. [6331]
The International Standards Reports Manual, available on ARO, contains guidance on reporting in conformity with and
example reports prepared in accordance with International Standards on Auditing. [6335]
Interntional Audit Workbook

Chapter 7 - Specific Topics

The Specific Topics chapter of KAM, Chapter 7, has been rewritten consistent with the Audit

! Program for Specific Topics (Revised) (APST (Revised)) and the Specific Topics Inquiries
Document (STID).
The Specific Topics chapter of KAM should be read in conjunction with the Audit Program for
Specific Topics (Revised) and the Specific Topics Inquiries Document.
The chapter is designed to support and provide additional guidance on the procedures included
in the Audit Program for Specific Topics (Revised) and the inquiries in the Specific Topics
Inquiries Document to the extent that procedures are not already supported by Guidance
Attachments that accompany the Audit Program for Specific Topics (Revised).

The following table indicates the applicability of the Audit Program for Specific Topics (Revised) (APST (Revised)) and the
Specific Topics Inquiries Document (STID) for each audit workflow:

Interntional Audit Workbook


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Chapter 8 - Engagements to Review Interim Financial
Page 126 / 133
Information of an Audit Client
International Audit Workbook (Interntional Audit Workbook)

Interntional Audit Workbook

Chapter 8 - Engagements to Review Interim Financial


Information of an Audit Client

This section provides guidance in relation to an existing audit client for which we conduct an

! audit of its financial statements and therefore have an understanding of the entity and its
environment, including its internal control on which to base our review procedures. If we were
recently appointed as the entity's auditor, and therefore have not audited the most recent annual
financial statements, we apply additional procedures as described in the section titled, "KPMG
was not the auditor of the most recent annual financial statements" in the Other Engagement
chapter of KAM International. [8901.3.2]

If we are engaged to perform a review of interim financial information (by an entity to which we are the appointed
independent auditor) we should perform the review in accordance with International Standards on Review Engagements
(ISRE) 2410. [8902.1]

If we are engaged to perform a review of interim financial information, and we are not the

! auditor of the entity, or if we are engaged to review other financial information, we perform the
review in accordance with ISRE 2400, "Engagements to Review Financial Statements." [8903]

The objective of an engagement to review interim financial information is to enable us to express a conclusion whether, on
the basis of the review, anything has come to our attention that causes us to believe that the interim financial information is
not prepared, in all material respects, in accordance with an applicable financial reporting framework. This objective differs
significantly from that of an audit conducted in accordance with International Standards on Auditing. A review of interim
financial information does not provide a basis for expressing an opinion whether the interim financial information gives a
true and fair view, or is presented fairly, in all material respects, in accordance with an applicable financial reporting
framework. [8903.1]
A review, in contrast to an audit, is not designed to obtain reasonable assurance that the interim financial information is
free from material misstatement. A review may bring significant matters affecting the interim financial information to our
attention, but it does not provide all of the audit evidence that would be required in an audit. [8905]
The following Global Work Papers are applicable to an engagement to conduct a review of interim financial information in
accordance with ISRE 2410: [8954.4]

• Interim Review Checklist

• Interim Review Program

• Summary of Review Differences.


We make inquiries, primarily of persons responsible for financial and accounting matters, and perform analytical and other
review procedures in order to reduce to a moderate level the risk of expressing an inappropriate conclusion when the
interim financial information is materially misstated. [8905.1]

8.1 Obtain an Understanding of the Entity and Its Environment, Including Its
Internal Control
When performing a review of interim financial information, we should have an understanding of the entity and its
environment, including its internal control, as it relates to the preparation of both annual and interim financial information,
sufficient to plan and conduct the engagement so as to be able to: [8929]

• identify the types of potential material misstatement and consider the likelihood of their
occurrence, and
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
• select the inquiries, analytical, and other review procedures that will provide us with a basis for
reporting whether anything has come to our attention that causes us to believe that the interim
Page 127 / 133
financial information is not prepared, in all material respects, in accordance with the applicable
When performing a review of interim financial information, we should have an understanding of the entity and its
environment, including its internal control, as it relates to the preparation of both annual and interim financial information,
International
sufficient to plan and conduct the engagement so asAudit
to Workbook (Interntional
be able to: [8929]Audit Workbook)

• identify the types of potential material misstatement and consider the likelihood of their
occurrence, and

• select the inquiries, analytical, and other review procedures that will provide us with a basis for
reporting whether anything has come to our attention that causes us to believe that the interim
financial information is not prepared, in all material respects, in accordance with the applicable
financial reporting framework.
When we have audited the entity's financial statements for one or more annual periods and have obtained an understanding
of the entity and its environment, including its internal control, as it relates to the preparation of annual financial
information, which is sufficient to conduct the audit, we: [8930]

• update our understanding of the entity as discussed in the section titled "Understanding the
entity" of the Planning chapter, and

• obtain a sufficient understanding of internal control as it relates to the preparation of interim


financial information, as it may differ from internal control as it relates to annual financial
information.

The procedures we perform to update our understanding of the entity and its environment,
including its internal control, are included in the Interim Review Program. [8930.1]

Although we perform these procedures to update our understanding of internal control over the

! preparation of annual financial information and to obtain a sufficient understanding of internal


control as it relates to the preparation of interim financial information. Our review procedures
may lead us to come across matters that cause us to conclude that there are deficiencies in the
design or implementation of internal controls over financial reporting. These procedures may
also lead us to conclude that deficiencies in internal control which were identified during the
most recent audit are of continuing significance. We document such deficiencies in the Interim
Review Program and consider whether communication with management and those charged
with governance is appropriate. [8934]

8.2 Inquiries, Analytical Procedures, and Other Review Procedures


We should make inquiries, primarily of persons responsible for financial and accounting matters, and perform analytical and
other review procedures to enable us to conclude whether, on the basis of the procedures performed, anything has come to
our attention that causes us to believe that the interim financial information is not prepared, in all material respects, in
accordance with the applicable financial reporting framework. [8936]

The analytical procedures, inquiries, other procedures that we perform are included in the
Interim Review Program. [8930.1]
Additional guidance regarding such procedures is included below.

Procedures Additional guidance regarding this procedure

Perform analytical We apply analytical procedures to interim financial information to identify and provide
procedures a basis for inquiry about the relationships and individual items that appear to be
unusual and that may indicate a material misstatement. Analytical procedures may
include ratio analysis and statistical techniques such as trend analysis and may be
performed manually or with the use of computer-assisted techniques. [8939.0.2]

Make inquiries Professional judgment is used to determine which members of management we


need to direct our inquiries to and we also consider whether direct inquiries to other,
nonmanagement members of the entity are necessary (e.g., production and internal
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
audit personnel). [8938]
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 128 / 133


A review ordinarily does not require tests of accounting records through inspection, observation,
include ratio analysis and statistical techniques such as trend analysis and may be
performed manually or with the use of computer-assisted techniques. [8939.0.2]
International Audit Workbook (Interntional Audit Workbook)
Make inquiries Professional judgment is used to determine which members of management we
need to direct our inquiries to and we also consider whether direct inquiries to other,
nonmanagement members of the entity are necessary (e.g., production and internal
audit personnel). [8938]

A review ordinarily does not require tests of accounting records through inspection, observation,

! or confirmation procedures. Procedures for performing a review of interim financial information


are ordinarily limited to making inquiries, primarily of persons responsible for financial and
accounting matters, and applying analytical and other review procedures, rather than
corroborating information obtained concerning significant accounting matters relating to the
interim financial information. Our understanding of the entity and its environment, including its
internal control, the results of the risk assessments relating to the preceding audit, and our
consideration of materiality as it relates to the interim financial information, affects the nature
and extent of the procedures applied. [8937]

8.3 Evaluate the Results of Our Review

Results Additional guidance regarding these results

Significant findings and We document significant findings and issues and actions taken to address them in the
issues Interim Review Program. [8950.1]
Significant findings and issues are the same as for an annual audit.

Uncorrected misstatements We should evaluate, individually and in the aggregate, whether uncorrected
misstatements that have come to our attention are material to the interim financial
information. [8951]
We prepare a Summary of Review Differences in order to aggregate corrected and
uncorrected misstatements and omissions or other errors in presentation or
disclosure. [SRD]
A misstatement that originates in the current interim period (including the year-to-
date period) is to be evaluated relative to the materiality measure for that interim
period (including the year-to-date period), while the total misstatement, inclusive of
prior period effects, is evaluated relative to the materiality measure for the full fiscal
year. [8953.1]

We use the same method for evaluating uncorrected audit differences for the review of interim
financial information as we use during the annual audit.

8.4 Other Considerations


We may decide to perform certain audit procedures relevant for the purpose of the audit of the annual financial statements
concurrently with the review of interim financial information for convenience and efficiency. [8921]
For example, information gained from reading the minutes of meetings of the board of directors in connection with the
review of the interim financial information also may be used for the annual audit.
For example, performing audit procedures on significant or unusual transactions that occurred during the period, such as
business combinations, restructurings, or significant revenue transactions.
To the extent these interim review procedures are used or referenced to in the period-end audit, we may retain the interim
documentation in the interim review file and include a reference from the audit file to the interim review file. However,
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
certain jurisdictions may require a separate set of work papers for each engagement. In these cases, relevant work papers
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
would need to be copied and placed in both the interim review file and the period-end audit file. [8954.6]
Page 129 / 133
8.5 Obtain Management Representation Letters
review of the interim financial information also may be used for the annual audit.
For example, performing audit procedures on significant or unusual transactions that occurred during the period, such as
business combinations, restructurings, orInternational
significant Audit Workbook
revenue (Interntional Audit Workbook)
transactions.
To the extent these interim review procedures are used or referenced to in the period-end audit, we may retain the interim
documentation in the interim review file and include a reference from the audit file to the interim review file. However,
certain jurisdictions may require a separate set of work papers for each engagement. In these cases, relevant work papers
would need to be copied and placed in both the interim review file and the period-end audit file. [8954.6]

8.5 Obtain Management Representation Letters

An example Management Representation Letter for Review of Interim Financial Information is


available on ARO. [8957]
We may obtain additional representations related to matters specific to the entity's business or
industry. [8957]

8.6 Other Information That Accompanies the Interim Financial Information


We should read the other information that accompanies the interim financial information to consider whether any such
information is materially inconsistent with the interim financial information. [8959]
We consult with the risk management partner when we read other information in documents containing interim financial
information and we:

• identify a material inconsistency for which an amendment is necessary in the interim financial
information or in the other information but the entity refuses to make the amendment. [8959.1]

• we conclude that there is a material misstatement of fact in the other information which
management refuses to correct. [8961.1]

The terms of the engagement include management's agreement that where any document

! containing interim financial information indicates that such information has been reviewed by us,
the review report will also be included in the document.
If management has not included the review report in the document, we consult with the risk
management partner and consider seeking legal advice to assist in determining the reasonable
course of action in the circumstances. [8984]

8.7 Communication with Management and Those Charged with Governance


We should communicate relevant matters of governance interest arising from the review of interim financial information to
those charged with governance. [8964.1]
When, as a result of performing the review of interim financial information, a matter comes to our attention that causes us
to believe that it is necessary to make a material adjustment to the interim financial information for it to be prepared, in all
material respects, in accordance with the applicable financial reporting framework, we should communicate this matter as
soon as practicable to the appropriate level of management. [8965]
We communicate such matters to management and/or to those charged with governance, in writing. [8965.1]
When, in our judgment, management does not respond appropriately within a reasonable period of time, we should inform
those charged with governance. [8966]
When, in our judgment, those charged with governance do not respond appropriately within a reasonable period of time,
we should consider: [8968]

• whether to modify the report, or

• the possibility of withdrawing from the engagement, and

• the possibility of resigning from the appointment to audit the annual financial statements.
© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
Our communications of fraud or noncompliance are consistent with our communication during the annual audit.
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 130 / 133


8.8 Reporting
we should consider: [8968]

• whether to modify the report, or


International Audit Workbook (Interntional Audit Workbook)
• the possibility of withdrawing from the engagement, and

• the possibility of resigning from the appointment to audit the annual financial statements.
Our communications of fraud or noncompliance are consistent with our communication during the annual audit.

8.8 Reporting
Chapter 41, "Reporting on Interim Financial Information" of the International Standards Reports Manual contains guidance
on reporting in conformity with, and example reports prepared in accordance with, International Standards on Review
Engagements. [8973]
Interntional Audit Workbook

Chapter 9 - Group Audits

A group audit is an audit of financial statements that include the financial information of more than one
component or combined financial statements aggregating the financial information prepared by components that
have no parent but are under common control. [9122.2], [9122.7]

The chapter titled, Audits of Group Financial Statements (group audits) chapter, in KAM, provides policies and guidance
related to performing group audits. In addition, the policies and guidance throughout KAM apply when we act as group
auditor or when we are the component auditor.
Auditors from non-KPMG member firms (i.e., non-KPMG component auditors or non-KPMG group engagement teams) are
not subject to the policies and guidance in the group audits chapter. Non-KPMG component auditors should however be
required to follow International Standards on Auditing as requested by the KPMG group engagement team, if applicable.
[8510]

Although written primarily for group audits, the guidance in the group audits chapter, adapted as

! necessary in the circumstances, also may be useful when we involve other KPMG locations or
auditors from non-KPMG member firms in the audit of financial statements that are not group
financial statements. [8504]
For example, we may involve another auditor to observe the inventory count or inspect
physical fixed assets at a remote location.

The Group Audit Instructions, available on ALex, contain additional guidance on preparing audit
instructions for group audit engagements. [8511]
The Financial Shared Services Centres Audit Workbook provides guidance on special
considerations when we are engaged to perform a group audit and/or statutory audit
engagement where all or some of the financial reporting activities of the group are centralized at
an intra-group financial shared services centre. The Financial Shared Services Centres Audit
Workbook is available on ALex. [8512]
In addition to the policies, requirements and guidance set out in the group audits chapter in KAM,
we comply with the policies, requirements and guidance set out in the Risk Management Manual
- Global relevant to group audits, including those in Chapter 24 for multi-firm engagements.
[8503.1]

The following table indicates the applicability of Group Audit Global Work Papers for each audit workflow:

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 131 / 133


International Audit Workbook (Interntional Audit Workbook)

Interntional Audit Workbook

Appendix A - Audit Workbook Supplement 2009


Introduction and Contents
The 2009 Audit Workbook Supplement (Supplement) is intended to update the 2008 Audit Workbook and serves as a
summary of the key updates that have been made to the KPMG Audit Manual (KAM) in July 2008 and April 2009. Some of
the topics which are addressed in the Supplement are also covered in the 2008 Audit Workbook; and if so, the information
in the Supplement is to be read in conjunction with such guidance.
KAM explains that KPMG has policies relating to the way its audits are carried out, and that compliance with those policies is
mandatory. In addition to policies, KAM contains bold type paragraphs and guidance in the form of explanatory and other
material as to how policies and bold type paragraphs may be implemented. The bold type paragraphs describe basic
principles and essential procedures in International Standards on Auditing (ISAs) issued by the International Auditing and
Assurance Standards Board ("bold type paragraphs") and are to be understood and applied in the context of the KPMG audit
policies and explanatory and other material that provide guidance for their application. KAM continues to be the primary
source of KPMG policy and guidance related to the performance of a KPMG audit. [1005], [1005.1], [1011] Reporting
guidance for engagements conducted in accordance with International Standards on Quality Control, Auditing, Assurance
and Related Services issued by the International Auditing and Assurance Standards Board (International Standards) is
included in the International Standards Reports Manual and is beyond the scope of KAM and the Supplement.
The way in which KAM is applied to the circumstances of the particular audit is a matter of judgment for the engagement
partner and the engagement team. This Supplement is intended to provide information relating to the interpretation of KAM.

Section number Section Title Ref. to 2008 Audit Superseded content /


Workbook new content

Control Evaluation and


Substantive Testing

2.1 Use of audit evidence Control Evaluation 4.4 Supersedes content in the
obtained in prior periods section titled, "Using Audit
regarding the operating Evidence Gained in Prior
effectiveness of controls Periods"

2.2 Reliability of underlying Control Evaluation 4.4 Supersedes content in the


© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
data section titled, "Reliability of
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
underlying data"
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

2.3 Substantive attribute N/A New content Page 132 / 133


obtained in prior periods section titled, "Using Audit
regarding the operating Evidence Gained in Prior
effectiveness
International Audit Workbook (Interntional Audit Workbook) Periods"
of controls

2.2 Reliability of underlying Control Evaluation 4.4 Supersedes content in the


data section titled, "Reliability of
underlying data"

2.3 Substantive attribute N/A New content


sampling

2.4 Substantive analytical Substantive Testing 5.4 Supersedes content


procedures - set regarding setting the
acceptable difference acceptable difference

2.5 KPMG Sampling Plan Substantive Testing 5.7 New content


sample size factors

2.6 Anomalous audit N/A New content


differences

2.7 Involvement of KPMG Substantive Testing 5.7 Supersedes content


sampling specialists regarding involvement of a
KPMG Sampling Specialist

Other Key Updates

3.1 Criteria for use of LCE Engagement Management Supersedes content


working papers 2.4.2 regarding LCE

3.2 Consideration of omitted N/A New content


documentation and other
procedures identified after
the date of auditor's report

3.3 Concurrence from EQCR in Planning 3.4.1 Supersedes content


relation to materiality regarding concurrence
from the engagement
quality control reviewer

3.4 Group audits N/A New content

3.5 Specific Topics Specific Topics 7 Supersedes all content in


this section

© 2010 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis­à­vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Page 133 / 133

You might also like