AFM 208: Introduction to Assurance
Giselle Obendorf
Estimated study time: 1 hr 6 min
Table of contents
Sources and References
Primary textbook — Arens, Alvin A., Randal J. Elder, Mark S. Beasley, and Chris E. Hogan. Auditing and Assurance Services: An Integrated Approach, 17th ed. Pearson, 2020. Supplementary — CPA Canada Handbook — Assurance (CAS standards, CSAE 3000, CSQM 1); Louwers, Timothy J., et al. Auditing and Assurance Services, 7th ed. McGraw-Hill, 2018. Standards and guidance — Canadian Auditing Standards (CAS), based on International Standards on Auditing (ISA), issued by the International Auditing and Assurance Standards Board (IAASB); CPA Code of Professional Conduct (CPA Ontario); PCAOB Auditing Standards (AS) for US-listed entities; Canadian Standard on Quality Management 1 (CSQM 1, effective December 15, 2022, replacing CSQC 1).
Chapter 1: The Concept of Assurance
1.1 What Is Assurance?
In everyday language, assurance means confidence or certainty. In the professional context, an assurance engagement is a structured process in which a practitioner evaluates a subject matter against a stated criterion and communicates the resulting conclusion to an intended user, thereby increasing the user’s confidence in the reliability of that subject matter.
The five key elements of any assurance engagement are:
- A three-party relationship: The responsible party (who prepares the subject matter), the practitioner (who evaluates it), and the intended users (who rely on the conclusion)
- A subject matter: What is being evaluated — financial statements, internal controls, sustainability disclosures, compliance with regulations, etc.
- Suitable criteria: The benchmark against which the subject matter is measured — accounting standards (IFRS, ASPE), regulatory requirements, or agreed-upon criteria
- Evidence: The information gathered by the practitioner to support the conclusion
- A written report: The formal communication of the practitioner’s conclusion
These five elements are not merely definitional checklist items. Each one raises its own set of professional judgments. Suitable criteria must be available, relevant, reliable, neutral, and understandable. Evidence must be sufficient (enough of it) and appropriate (relevant and reliable). The three-party relationship means that the practitioner’s primary accountability runs to the users, not to the party who pays the fee — a tension that defines much of the independence debate in auditing.
1.2 Why Demand for Assurance Exists
Assurance arises from a fundamental conflict of interest: those who prepare information (management) are not the same as those who rely on it (shareholders, lenders, regulators). This is the classic principal-agent problem, first articulated by Jensen and Meckling (1976). When principals (owners) delegate authority to agents (managers), they cannot perfectly observe agent behavior, creating the potential for:
- Moral hazard: The agent taking actions not in the principal’s interest once a contract is signed
- Information asymmetry: The agent knowing far more about the business than the principal ever could
- Adverse selection: The inability of the principal to distinguish truthful from misleading reports without independent verification
Assurance services reduce these problems by providing an independent check on management’s representations. They are demanded because they increase the credibility of reported information, which in turn lowers the cost of capital for the reporting entity and reduces the risk of loss for external users.
Four classical hypotheses explain demand:
| Hypothesis | Description |
|---|---|
| Information hypothesis | Audited statements provide more useful information to investors, enabling better capital allocation |
| Insurance hypothesis | The audit provides protection (and potential legal recourse) against management misrepresentation |
| Agency cost hypothesis | Audits reduce the monitoring costs of the principal-agent relationship, lowering contracting costs |
| Signalling hypothesis | Voluntarily hiring a reputable auditor signals high-quality management and trustworthy reporting |
1.3 Supply of Assurance Services
In Canada, the supply of statutory audit and most high-value assurance engagements is restricted to Chartered Professional Accountants (CPAs) licensed under provincial legislation. CPA firms provide assurance services through a network of audit partners and staff, supported by quality management frameworks mandated by Canadian Standard on Quality Management 1 (CSQM 1).
The market for assurance is stratified:
- The Big Four (Deloitte, PwC, EY, KPMG): Serve the largest public companies, financial institutions, and multinational corporations. Heavily regulated by the Canadian Public Accountability Board (CPAB) and, for dual-listed clients, by the PCAOB.
- Mid-size national and regional firms (BDO, Grant Thornton, MNP, RSM): Serve private companies, larger not-for-profits, smaller public companies, and government entities.
- Small local practices: Serve owner-managed businesses and smaller organizations, often providing compilation, review, and tax services as well as limited audit work.
The supply side is shaped by regulatory barriers to entry (licensing requirements), liability exposure, and reputational capital. A CPA firm’s most valuable asset is its reputation for independence and quality — once lost, it is extraordinarily difficult to recover (consider the collapse of Arthur Andersen following the Enron scandal in 2002).
Chapter 2: Classification of Assurance Engagements
2.1 A Spectrum of Assurance
The level of assurance a practitioner provides — and the procedures required to support it — varies along a spectrum from maximum (but not absolute) assurance down to no assurance at all.
| Engagement Type | Standard | Level of Assurance | Expression |
|---|---|---|---|
| Audit | CAS 700 series | Reasonable (high) | Positive: “In our opinion, the financial statements present fairly…” |
| Review | CSRE 2400 | Limited | Negative: “Nothing has come to our attention to indicate that the statements are not prepared in accordance with…” |
| Compilation | CSRS 4200 | None | Factual: Practitioner compiles information provided by management |
| Agreed-upon Procedures | CSRS 4400 | Not expressed | Factual findings only — users draw their own conclusions |
| Other assurance (CSAE 3000) | CSAE 3000/3410/3416 | Reasonable or limited | Depends on engagement design |
2.2 Reasonable Assurance — The Financial Statement Audit
An audit of financial statements is the most common and rigorous assurance engagement. The auditor obtains sufficient appropriate audit evidence to reduce audit risk to an acceptably low level, then expresses an opinion on whether the financial statements as a whole are free from material misstatement, whether due to fraud or error.
Inherent limitations of an audit include:
- The nature of financial reporting: Many accounting estimates involve significant uncertainty (e.g., fair values, impairment tests, actuarial assumptions).
- The nature of audit procedures: An auditor cannot examine every transaction; they use sampling and analytical techniques.
- The nature of internal controls: Controls may be circumvented by collusion or management override.
- Timeliness and cost: Delivering the audit report within a reasonable time after year-end constrains the depth of investigation.
2.3 Limited Assurance — The Review Engagement
In a review engagement governed by CSRE 2400, the practitioner applies primarily analytical procedures and inquiry of management. The practitioner does not perform the detailed testing (inspection of documents, external confirmations, physical observation) that characterizes an audit. The resulting limited assurance is lower than audit-level assurance but still provides meaningful value to users who do not need — or cannot afford — a full audit.
The negative assurance conclusion of a review — “nothing has come to our attention” — is weaker than the positive opinion of an audit. It signals that the practitioner applied limited procedures and found no material departures, but is not stating that all is well; rather that the limited procedures did not reveal problems.
2.4 Agreed-Upon Procedures (AUP) Engagements
In an AUP engagement under CSRS 4400, the practitioner and the engaging party agree in advance on specific procedures to be performed. The practitioner reports the factual findings of those procedures without expressing any overall conclusion or opinion. Because no conclusion is drawn, the practitioner’s liability exposure is more limited, and the report is restricted to the parties who agreed to the procedures.
2.5 Other Assurance Engagements
CSAE 3000 and related standards govern assurance on subject matters other than historical financial statements:
- CSAE 3416 — Reporting on Controls at a Service Organization (equivalent to SOC 1 reports): Relevant when a client outsources functions (payroll processing, IT hosting) to a third party whose controls affect the client’s financial reporting.
- CSAE 3410 — Assurance on Greenhouse Gas Statements: Growing in importance as companies face regulatory requirements for ESG and sustainability reporting.
- CSAE 3531 — Assurance on Compliance: The practitioner evaluates whether an entity has complied with specified laws, regulations, or contract terms.
- Prospective Financial Information — Practitioners may provide comfort on financial forecasts and projections used in public offerings.
Chapter 3: The Audit Environment
3.1 Agency Theory and the Rationale for Auditing
Agency theory provides the most rigorous economic foundation for auditing. In the Jensen and Meckling (1976) framework, the firm is viewed as a nexus of contracts among self-interested parties. Because managers (agents) have interests that may diverge from those of shareholders (principals), shareholders incur three types of agency costs:
- Monitoring costs: Costs incurred by principals to observe and control agent behavior (e.g., audit fees, board oversight costs)
- Bonding costs: Costs incurred by agents to signal trustworthiness (e.g., financial reporting costs, management representations)
- Residual loss: The welfare loss from remaining agency problems that cannot be efficiently eliminated
The audit reduces monitoring costs by providing credible independent verification of management’s financial representations. As a result, even in the absence of a legal requirement to audit, well-governed companies would voluntarily demand audits to reduce their cost of capital.
3.2 Users of Audited Financial Statements
The primary users of audited financial statements and their key information needs include:
| User Group | Primary Information Need | Key Concern |
|---|---|---|
| Current shareholders/investors | Assessment of management stewardship; investment returns | Earnings quality, going concern |
| Prospective investors | Valuation inputs; assessment of risk and return | Comparability, fair presentation |
| Lenders and creditors | Assessment of repayment capacity; covenant compliance | Liquidity, solvency, debt coverage |
| Suppliers and customers | Evaluation of business continuity | Going concern, cash flow |
| Regulators (CRA, securities commissions) | Compliance with tax and securities laws | Completeness, correct classification |
| Employees and unions | Job security; pension fund health | Solvency, profitability |
| Not-for-profit donors/members | Stewardship of donated resources | Program expenditure ratios |
Understanding user needs is critical to the auditor’s work because materiality — the threshold at which a misstatement becomes significant — is defined by reference to the reasonable user’s decisions. An item immaterial to a large lender may be material to a small trade creditor.
3.3 Legal Liability of Auditors
Auditors face potential liability to clients and third parties for negligent or fraudulent conduct. The Canadian legal framework distinguishes:
Contractual liability arises from the engagement contract between the auditor and the client. If the auditor fails to perform the agreed services with the standard of care of a reasonably competent professional, the client may sue for breach of contract.
Tort liability (negligence) may be owed to third parties who foreseeably rely on the auditor’s report. The seminal Canadian case is Haig v. Bamford (1977, SCC), in which the Supreme Court held that auditors owe a duty of care to a limited class of third parties whose reliance on the audit report was specifically known or reasonably foreseeable.
Fraud — making false representations with knowledge of their falsity — carries both civil and criminal consequences and is not subject to limitation clauses.
The business risk of audit engagements is shaped by the client’s industry, financial health, complexity, integrity of management, and prior audit history. Auditors manage business risk through client acceptance procedures, engagement letter terms (including limitation of liability clauses where permitted), insurance, and quality control.
Chapter 4: Professional Standards
4.1 The Canadian Standard-Setting Architecture
The standard-setting framework for Canadian assurance practitioners is multi-layered:
The Auditing and Assurance Standards Board (AASB) is the independent body that establishes assurance and related services standards for Canadian practitioners. Its standards are published in the CPA Canada Handbook — Assurance.
The International Auditing and Assurance Standards Board (IAASB) issues the International Standards on Auditing (ISAs) adopted — with Canadian modifications where necessary — as the Canadian Auditing Standards (CAS). The CAS and ISAs are effectively harmonized, enabling cross-border comparability of audit quality.
The International Ethics Standards Board for Accountants (IESBA) issues the International Code of Ethics for Professional Accountants, adopted by CPA Canada as the CPA Code of Professional Conduct.
The PCAOB (Public Company Accounting Oversight Board, US) issues auditing standards applicable to audits of US public companies and foreign private issuers listed on US exchanges. Canadian firms auditing such entities must comply with PCAOB AS standards in addition to CAS.
4.2 Key Canadian Auditing Standards
The CAS series maps directly to the ISA series. The most important standards for AFM 208 are:
| Standard | Title | Key Requirement |
|---|---|---|
| CAS 200 | Overall Objectives of the Independent Auditor | Defines reasonable assurance, professional skepticism, professional judgment |
| CAS 210 | Agreeing the Terms of Audit Engagements | Engagement letter requirements; preconditions for audit |
| CAS 240 | Auditor’s Responsibilities Relating to Fraud | Fraud risk assessment; mandatory brainstorming; specific fraud procedures |
| CAS 260 | Communication with Those Charged with Governance | Requirements to communicate significant findings to the audit committee |
| CAS 315 | Identifying and Assessing Risks of Material Misstatement | Understanding the entity; risk assessment procedures; internal control evaluation |
| CAS 320 | Materiality in Planning and Performing an Audit | Determining and applying materiality and performance materiality |
| CAS 330 | Auditor’s Responses to Assessed Risks | Designing and performing further audit procedures in response to assessed RMM |
| CAS 402 | Audit Considerations Relating to an Entity Using a Service Organization | When and how to address service organization controls |
| CAS 450 | Evaluation of Misstatements Identified During the Audit | Accumulated misstatements; communicating and correcting |
| CAS 500 | Audit Evidence | Sufficiency and appropriateness; sources and reliability |
| CAS 505 | External Confirmations | Confirmation procedures; responses and exceptions |
| CAS 520 | Analytical Procedures | When required; how to investigate significant fluctuations |
| CAS 530 | Audit Sampling | Sampling approaches; evaluating results |
| CAS 540 | Auditing Accounting Estimates | Risk-based approach to estimates including fair values |
| CAS 550 | Related Parties | Identifying and auditing related party transactions |
| CAS 560 | Subsequent Events | Events after the reporting period; auditor obligations |
| CAS 570 | Going Concern | Evaluating management’s use of the going concern assumption |
| CAS 580 | Written Representations | Management representation letter requirements |
| CAS 600 | Special Considerations — Group Financial Statements | Component auditor instructions; group audit oversight |
| CAS 700 | Forming an Opinion and Reporting on Financial Statements | Content of the auditor’s report; structure of the opinion |
| CAS 705 | Modifications to the Opinion | Qualified, adverse, and disclaimer opinions |
| CAS 706 | Emphasis of Matter and Other Matter Paragraphs | When and how to add explanatory paragraphs |
| CAS 720 | The Auditor’s Responsibilities Relating to Other Information | Reading and considering the annual report beyond the financial statements |
4.3 Quality Management — CSQM 1
Canadian Standard on Quality Management 1 (CSQM 1) replaced CSQC 1 effective December 15, 2022. CSQM 1 requires audit firms to design, implement, and operate a system of quality management (SoQM) that is tailored to the nature and circumstances of the firm — a proactive, risk-based approach replacing the prior prescriptive model.
The eight components of the CSQM 1 SoQM are:
- Risk assessment process: Identify quality risks; establish quality objectives; design responses
- Governance and leadership: Firm culture; leadership responsibilities; commitment to quality
- Relevant ethical requirements: Independence monitoring; ethics policies
- Acceptance and continuance: Client acceptance; engagement continuance
- Engagement performance: Direction, supervision, and review; consultation; engagement quality reviews
- Resources: Human resources; technological resources; intellectual resources
- Information and communication: Information systems; external communication
- Monitoring and remediation: Inspection program; root cause analysis; remediation
Chapter 5: Audit Planning and Risk Assessment
5.1 The Audit Risk Model
The cornerstone of modern risk-based auditing is the audit risk model. The model expresses the mathematical relationship between the components of audit risk:
\[ AR = IR \times CR \times DR \]Where:
- \( AR \) = Audit Risk — the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. Set at a very low level (e.g., 5%, or lower for high-profile clients).
- \( IR \) = Inherent Risk — the susceptibility of a financial statement assertion to a material misstatement, assuming no related controls. A property of the account, the industry, and the transaction type.
- \( CR \) = Control Risk — the risk that a material misstatement would not be prevented or detected and corrected on a timely basis by the entity’s internal control system.
- \( DR \) = Detection Risk — the risk that the audit procedures designed by the auditor will fail to detect a material misstatement that actually exists. This is the only component the auditor directly controls.
Since \( AR \) is the target and \( IR \) and \( CR \) are assessed (not controlled), the auditor solves for \( DR \):
\[ DR = \frac{AR}{IR \times CR} \]The lower \( DR \) needs to be, the more extensive and reliable the audit procedures must be.
An auditor sets overall audit risk at 5% (\( AR = 0.05 \)).
For the revenue account, inherent risk is assessed as high (\( IR = 0.80 \)) because the entity has a history of aggressive revenue recognition and operates in a competitive environment with pressure to meet analyst forecasts.
After testing controls over the revenue cycle, control risk is assessed as moderate (\( CR = 0.50 \)).
The required detection risk is: \( DR = 0.05 / (0.80 \times 0.50) = 0.05 / 0.40 = 0.125 \), or 12.5%.
This means the auditor's substantive procedures must be designed so that there is at most a 12.5% chance they will fail to detect a material misstatement in revenue. This requires a large sample size, extensive confirmation procedures, and careful cut-off testing.
5.2 Inherent Risk Factors
Inherent risk varies significantly across accounts and assertions. Factors that increase inherent risk include:
- Complexity of transactions: Derivatives, lease modifications, business combinations
- Degree of estimation: Fair values of Level 3 instruments, impairment, warranty provisions
- Volume and significance: High-volume routine transactions present different risks than a small number of very large, unusual transactions
- Industry-specific risks: Resource companies face commodity price risk; financial institutions face credit and market risk; retail companies face inventory valuation risk
- Management judgment: The more judgment required, the higher the risk of bias or error
- Susceptibility to misappropriation: Cash, portable assets, and intellectual property are more susceptible to theft
For every significant risk, the auditor must obtain an understanding of the related controls, and substantive procedures must be performed — the auditor cannot rely on controls alone to address a significant risk.
5.3 Understanding the Entity and Its Environment
CAS 315 requires the auditor to obtain a thorough understanding of the entity through risk assessment procedures:
- Inquiries of management and others: Discussions with management, internal audit, operations, legal counsel, and financial reporting personnel
- Analytical procedures: Comparing current financial data to prior periods, budgets, industry data, and internally consistent relationships to identify unusual fluctuations
- Observation and inspection: Touring facilities, observing operations, reading board minutes, reviewing contracts, examining the accounting manual
The entity’s environment encompasses:
- Industry factors: Competitive dynamics, regulation, seasonal patterns, technology disruption
- Business model: Products and services, supply chain, major customers and suppliers, pricing strategies
- Internal and external governance: Board composition, audit committee oversight, regulatory filings
- Financial performance: Key ratios, liquidity position, debt structure, profitability trends
- Accounting policies: Choices within GAAP that may create incentives for manipulation
- Internal control system: See Chapter 6
5.4 Materiality
Materiality in auditing is defined by reference to users: information is material if its omission or misstatement could reasonably influence the economic decisions of users. This definition links materiality to user needs, not to preparer convenience.
Common materiality benchmarks and typical percentages:
| Benchmark | Common Range | When Used |
|---|---|---|
| Pre-tax income from continuing operations | 5–10% | Profit-oriented entities where profitability drives user decisions |
| Total revenues | 0.5–1% | When income is volatile or near zero; revenue-focused industries |
| Total assets | 0.5–1% | Financial institutions; entities where the balance sheet drives decisions |
| Net assets (equity) | 1–2% | Not-for-profit entities; entities where solvency is the key concern |
| Gross profit | 1–2% | Retail, distribution — margin focused |
Auditors may also define specific materiality thresholds for certain classes of transactions or disclosures — for example, a much lower threshold for related-party transactions or executive compensation disclosures where even small misstatements could be significant regardless of their dollar value.
Chapter 6: Internal Controls
6.1 The COSO Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its Internal Control — Integrated Framework in 1992, updated in 2013. It remains the dominant internal control framework worldwide. COSO defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories:
- Operations: Effectiveness and efficiency of operations
- Reporting: Reliability of financial and non-financial reporting
- Compliance: Compliance with applicable laws and regulations
The COSO framework has five interrelated components and seventeen principles:
| Component | Core Idea |
|---|---|
| Control Environment | The foundation — sets the tone; encompasses integrity, ethics, governance, organizational structure, and the board’s oversight role |
| Risk Assessment | Management’s process for identifying and analyzing risks that threaten achievement of objectives, including changes in the business environment |
| Control Activities | The specific policies and procedures that respond to identified risks — authorizations, reconciliations, segregation of duties, physical safeguards, IT controls |
| Information and Communication | Systems that capture, process, and distribute information relevant to financial reporting; communication of roles and responsibilities |
| Monitoring | Ongoing assessments and separate evaluations that confirm all five components are present and functioning |
6.2 Segregation of Duties
A fundamental principle of internal control is that no single individual should have the ability to both commit and conceal an error or fraud. The three functions that must be separated for any significant transaction cycle are:
If one employee performs all four functions — opens the mail, records the receipts, authorizes write-offs, and reconciles the bank statement — they could steal an incoming cheque and conceal the theft by writing off the customer's balance as uncollectible.
6.3 Types of Control Activities
Control activities can be classified in several overlapping ways:
Preventive vs. Detective Controls
| Type | Description | Example |
|---|---|---|
| Preventive | Designed to stop errors or fraud before they occur | Credit approval required before shipping; purchase order required before payment |
| Detective | Designed to identify errors or irregularities after they have occurred | Bank reconciliation; inventory count; exception reports |
Manual vs. Automated Controls
- Manual controls: Human judgment is applied — a supervisor approves payroll; a clerk reconciles the subsidiary ledger to the general ledger
- Automated controls: Programmed into IT systems — system rejects a purchase order that exceeds an authorized limit; system automatically applies the correct revenue recognition rule
General Controls vs. Application Controls
- IT general controls (ITGCs): Govern the IT environment overall — access controls (user authentication, role-based access); change management (program change approval procedures); operations (backup and recovery)
- Application controls: Specific to individual business processes or applications — input validation, completeness checks, automated matching of purchase orders to invoices
ITGCs are the foundation: if they are ineffective, the reliability of all automated application controls and reports is undermined, and the auditor cannot rely on those automated controls.
6.4 Evaluating Internal Controls
The auditor’s evaluation of internal controls follows a structured process:
- Obtain an understanding of the design of controls relevant to the audit (required for all audits under CAS 315)
- Assess whether the controls have been implemented — i.e., actually put in place and used
- Decide whether to test the operating effectiveness of controls (if the auditor plans to rely on controls to reduce substantive testing)
- Perform tests of controls — inspect documents, reperform procedures, observe operations, inquire of personnel — to confirm that controls operated effectively throughout the period
- Evaluate the results and determine the impact on the assessed level of control risk
A material weakness is a severe deficiency where there is a reasonable possibility that a material misstatement will not be prevented or detected. In Canada, management of public companies (and their auditors in some cases) are required to report on internal control effectiveness; the concept of material weakness is central to that report.
Chapter 7: Audit Evidence
7.1 The Concept of Sufficient Appropriate Evidence
The entire audit process is a structured evidence-gathering exercise. The auditor’s opinion is only as strong as the evidence that supports it.
Reliability of evidence is influenced by:
| Factor | More Reliable | Less Reliable |
|---|---|---|
| Source | External (from independent third parties) | Internal (prepared by the client) |
| Auditor involvement | Obtained directly by the auditor | Obtained from management |
| Form | Documentary | Oral |
| Nature of controls | From a strong control environment | From a weak control environment |
| Timeliness | Contemporary | Reconstructed after the fact |
External confirmation from a bank (e.g., confirming a cash balance) is more reliable than a management schedule showing the same amount. A physical count of inventory observed by the auditor is more reliable than the client’s count sheet alone.
7.2 Financial Statement Assertions
Every line item and disclosure in the financial statements embodies a set of assertions — implicit management claims about the underlying transactions and balances. The auditor designs evidence-gathering procedures specifically to address each relevant assertion.
Assertions about account balances at the period end:
| Assertion | Management Claims… |
|---|---|
| Existence | Assets, liabilities, and equity interests exist |
| Rights and obligations | The entity holds or controls the rights to assets; liabilities are obligations of the entity |
| Completeness | All assets, liabilities, and equity interests that should have been recorded have been recorded |
| Accuracy, valuation, and allocation | Assets, liabilities, and equity have been recorded at appropriate amounts; valuation adjustments are appropriate |
Assertions about classes of transactions and events:
| Assertion | Management Claims… |
|---|---|
| Occurrence | Transactions and events that have been recorded actually occurred and pertain to the entity |
| Completeness | All transactions and events that should have been recorded have been recorded |
| Accuracy | Amounts and other data relating to recorded transactions have been recorded appropriately |
| Cut-off | Transactions and events have been recorded in the correct accounting period |
| Classification | Transactions and events have been recorded in the proper accounts |
Assertions about presentation and disclosure:
| Assertion | Management Claims… |
|---|---|
| Occurrence and rights and obligations | Disclosed events and transactions have occurred and pertain to the entity |
| Completeness | All disclosures that should have been included in the financial statements have been included |
| Classification and understandability | Financial information is appropriately presented and described; disclosures are clearly expressed |
| Accuracy and valuation | Financial and other information is fairly disclosed and at appropriate amounts |
7.3 Types of Audit Procedures
CAS 500 identifies seven types of audit procedures:
7.3.1 Inspection
Inspection involves examining records, documents, or tangible assets. Inspecting a document provides evidence about its existence and content but does not necessarily confirm the accuracy of amounts or the occurrence of underlying transactions.
- Inspection of records: Examining a signed credit approval on a customer account supports the assertion that the credit was properly authorized
- Inspection of tangible assets: Physically examining a piece of equipment confirms its existence but not its carrying value or ownership
7.3.2 Observation
Observation involves watching a process or procedure being performed by others. The auditor observes the client’s staff conducting an inventory count, or observes how a control is being applied. Observation provides evidence only about the point in time at which the observation occurs — it does not confirm that the process is performed the same way at other times.
7.3.3 External Confirmation
Confirmation involves obtaining a direct written response from a third party (CAS 505). Confirmations are among the most reliable forms of evidence because they come from independent sources.
Negative confirmation: The respondent is asked to respond only if the stated balance is incorrect. Only appropriate when risk is low, the population consists of many small balances, and there is no reason to believe recipients will not respond. Blank confirmation: The recipient is asked to fill in the balance without being given a suggested amount — eliminates the risk that the recipient will confirm an incorrect amount without checking.
7.3.4 Recalculation
Recalculation involves re-checking mathematical accuracy — recomputing depreciation, re-footing a trial balance, recalculating interest expense on a loan. It addresses the accuracy/valuation assertion. Recalculation can be performed manually or using audit software.
7.3.5 Reperformance
Reperformance involves the auditor independently executing a procedure that was originally performed by client personnel or the client’s system. The auditor might re-age the accounts receivable schedule, re-perform a bank reconciliation, or test a sequential numbering check. Reperformance provides strong evidence that a control or a computational process is functioning correctly.
7.3.6 Analytical Procedures
Analytical procedures involve evaluating financial information through plausible relationships — comparing current-period figures to prior-period figures, to budgets, to industry data, or to non-financial data.
Analytical procedures are used at three stages of the audit:
- Planning (required by CAS 315): Help the auditor understand the entity and identify areas of potential misstatement
- As a substantive procedure (where appropriate): Provide evidence about balances and transactions when the auditor expects a reliable relationship
- Near completion (required by CAS 520): A final review to confirm that the financial statements as a whole are consistent with the auditor’s understanding of the entity
The auditor develops an expectation of current-year revenue by multiplying average selling price per unit by units sold (obtained from production records). If recorded revenue is \$8.4 million but the expectation based on non-financial data is \$7.1 million, the \$1.3 million unexplained difference (15.5%) triggers further investigation.
The auditor would: (1) inquire of management for an explanation; (2) corroborate management's explanation with supporting documents (new contracts, price list changes); (3) perform additional tests of details if the explanation is not satisfactory. An unexplained variance of this magnitude would indicate a high risk of misstatement in revenue — likely requiring an expansion of other revenue procedures.
7.3.7 Inquiry
Inquiry involves seeking information from knowledgeable persons inside or outside the entity. Inquiry is pervasive throughout the audit — but it is the weakest form of evidence because it is not corroborated by independent sources. Auditors never rely on inquiry alone for a significant assertion; they always corroborate through other procedures.
Chapter 8: Audit Sampling
8.1 Why Sampling?
It is not economically feasible to examine every transaction or balance in a large population. Audit sampling involves applying audit procedures to less than 100% of items in a population so that all items have some chance of selection, with the intent of providing a basis for conclusions about the population.
Sampling risk is the risk that the auditor’s conclusion based on a sample differs from the conclusion that would be reached if the entire population were tested.
8.2 Statistical vs. Non-Statistical Sampling
| Feature | Statistical Sampling | Non-Statistical Sampling |
|---|---|---|
| Sample selection | Random — each item has a known, non-zero probability of selection | Judgmental — the auditor uses judgment to select items |
| Sample size | Determined by statistical formula based on risk parameters | Determined by auditor judgment |
| Results evaluation | Results can be extrapolated with quantified confidence level | Results evaluated by judgment |
| Documentation | More rigorous — parameters must be stated | Simpler |
| When appropriate | Large, homogeneous populations where statistical rigor is required | Smaller or more complex populations; when auditor expertise suggests specific items |
Both approaches are acceptable under CAS 530, but the auditor must apply judgment to ensure the sample is representative of the population regardless of the method used.
8.3 Sampling for Tests of Controls
When testing controls (attribute sampling), the auditor is interested in the deviation rate — the proportion of control procedures not performed correctly.
Key concepts:
- Expected deviation rate: The auditor’s estimate of how often the control fails in the population
- Tolerable deviation rate: The maximum deviation rate the auditor is willing to accept and still conclude the control is operating effectively (typically 2–10%)
- Sample size: Increases as the tolerable rate decreases or as the expected rate increases
If the sample results show a deviation rate below the tolerable rate, the auditor concludes the control is operating effectively and can rely on it.
8.4 Sampling for Substantive Tests of Details
When sampling to test balances or transactions (variables sampling), key concepts include:
Monetary Unit Sampling (MUS), also called probability-proportional-to-size (PPS) sampling, is the most common statistical method for substantive tests of balances. Each dollar in the population has an equal probability of selection, meaning larger balances receive more sampling attention — appropriate when the auditor expects a few large misstatements.
Population (accounts receivable): \$4,000,000
Tolerable misstatement: \$150,000 (performance materiality)
Expected misstatement: \$30,000 (based on prior year experience)
Risk of incorrect acceptance: 10% (moderate detection risk)
Reliability factor for 10% risk with expected misstatement adjustment: approximately 2.3
Sampling interval: \( \$150,000 / 2.3 \approx \$65,000 \)
Sample size: \( \$4,000,000 / \$65,000 \approx 62 \) items
Each dollar of A/R has an equal chance of being selected; accounts larger than \$65,000 are automatically included.
Chapter 9: Audit of Specific Accounts
9.1 Revenue and Accounts Receivable
Revenue is one of the highest-risk areas in any audit. CAS 240 includes a rebuttable presumption that revenue recognition always involves a risk of fraud — the auditor must explicitly evaluate this presumption and document the evaluation.
Key assertions for revenue:
- Occurrence: Recorded revenue reflects actual sales of goods or services to real customers
- Cut-off: Revenue is recorded in the period in which the performance obligation is satisfied (IFRS 15 / ASPE Section 3400)
- Accuracy: Revenue amounts reflect the correct transaction price, net of discounts and returns
Typical audit procedures for revenue:
- Obtain a detailed sales listing and agree totals to the general ledger; foot the listing
- Select a sample of sales transactions and vouch to supporting documents: sales order, shipping document (bill of lading), customer invoice, and remittance advice
- Perform cut-off testing: examine sales transactions recorded in the last few days before year-end and the first few days after to ensure revenue is recorded in the correct period
- Confirm a sample of accounts receivable balances with customers (positive or blank confirmation)
- Test subsequent cash collections — examine bank records for payments received after year-end on accounts outstanding at year-end
- Review the aging schedule and assess the adequacy of the allowance for doubtful accounts
- Review credit notes and sales returns recorded after year-end to identify unrecorded liabilities or reversals that suggest cut-off errors
- Perform analytical procedures: compare gross margin to prior periods, compare revenue by product line or segment, compute revenue per unit and compare to prices lists
The auditor selects all sales recorded in the last five business days of the fiscal year (December 27–31) and the first five business days of the new year (January 2–8). For each transaction, the auditor inspects the shipping document to determine the date goods actually left the warehouse. Under an FOB shipping point policy, revenue should be recognized when goods ship; under FOB destination, when received by the customer.
If the auditor finds that a \$280,000 sale with a shipping date of January 3 was recorded on December 30, this represents a cut-off error that overstates year-end revenue by \$280,000 — which would need to be communicated to management and evaluated against materiality.
9.2 Inventory
Inventory is a high-inherent-risk area because it is subject to theft, obsolescence, and valuation complexity. Physical existence and valuation are the two most critical assertions.
Inventory observation is required by CAS 501 unless impracticable. The auditor:
- Attends the client’s physical count and observes count procedures
- Makes independent test counts of selected items and compares them to the count sheets
- Evaluates whether client count procedures are adequate (proper supervision, cut tags, restricted movement)
- Traces counts from the test count sheets to the final inventory compilation
- Scans inventory for signs of obsolescence, damage, or slow movement
Valuation of inventory under ASPE and IFRS requires inventory to be carried at the lower of cost and net realizable value (NRV). The auditor evaluates the NRV by comparing cost per unit to selling price less costs to complete and sell, looking for indicators of obsolescence, and reviewing post-year-end sales of inventory at prices below cost.
An auditor attending the inventory count at a manufacturing company selects 40 items from the count sheets and physically locates and counts them. The auditor also independently selects 20 items from the warehouse floor that are not yet on the count sheets, counts them, and ensures they are added to the count records. This two-way testing addresses both the existence assertion (items on the sheets actually exist) and the completeness assertion (all items in the warehouse are counted).
9.3 Property, Plant, and Equipment
PP&E is typically the largest asset on a balance sheet for capital-intensive companies. Key assertions and procedures:
Existence and rights: Physical inspection of significant additions; title search for real property; review of lease agreements (operating vs. finance lease classification under IFRS 16)
Valuation and completeness of additions: Vouch significant additions to purchase orders, vendor invoices, and authorization documentation; verify that capital expenditures are appropriately capitalized and not expensed
Depreciation accuracy: Recalculate depreciation for a sample of assets; verify the useful life and residual value assumptions are reasonable; agree the method used to the entity’s policy
Impairment: Assess whether indicators of impairment exist (CAS 540 / IAS 36); evaluate the reasonableness of management’s impairment test model for assets carried above recoverable amount
Completeness of disposals: Inquire whether any assets were disposed of during the year; trace proceeds on sale to cash receipts; verify the gain or loss on disposal
9.4 Accounts Payable and Accrued Liabilities
Unlike assets (where overstatement is the primary concern), the primary risk for liabilities is understatement — management has incentives to omit or understate liabilities to improve the appearance of financial position. This means completeness is the most important assertion.
Audit procedures for accounts payable:
- Obtain a detailed listing of accounts payable and reconcile to the general ledger
- Confirm a sample of supplier balances directly with vendors (especially zero-balance accounts and unusual balances)
- Perform a search for unrecorded liabilities: examine disbursements made after the period end and trace them back to determine whether the related liability existed at year-end; review invoices received after year-end for services delivered before year-end
- Examine supplier statements and reconcile to recorded balances; investigate differences
- Perform cut-off testing: review receiving reports near year-end and confirm that goods received before year-end are recorded in accounts payable
The auditor selects all cheques cleared in the first three weeks of January (after a December 31 fiscal year-end) with amounts exceeding \$5,000 and traces each payment back to its source invoice. For each invoice, the auditor confirms: (1) when was the service or goods received? (2) was the payable recorded at December 31?
A \$45,000 invoice for consulting services delivered in November, paid in January but not recorded in accounts payable at year-end, represents an unrecorded liability and understated expenses of \$45,000 — a potential misstatement requiring correction if material.
9.5 Long-Term Debt
Long-term debt carries risks related to completeness (all debt is recorded), accuracy (amounts, interest rates, and maturity dates are correctly stated), and disclosure (covenants, collateral, and fair value are properly disclosed).
Key procedures:
- Obtain or prepare a schedule of long-term debt; agree balances to confirmation from lenders
- Send confirmations to all lending institutions, asking them to confirm outstanding balances, interest rates, maturity dates, security arrangements, and any covenant violations
- Recalculate interest expense and accrued interest
- Review debt agreements for covenants; assess whether any covenants have been violated (which may require reclassification of long-term debt as current)
- Evaluate whether fair value disclosure requirements are met
Chapter 10: Completing the Audit
10.1 Evaluating Uncorrected Misstatements
As the audit progresses, the auditor accumulates a schedule of identified misstatements. At the completion stage, the auditor evaluates the aggregate effect of all uncorrected misstatements under CAS 450.
The auditor requests management to correct all identified misstatements that are not clearly trivial. If management refuses to correct a misstatement, the auditor considers whether the uncorrected amount, individually or in aggregate with other uncorrected misstatements, could be material. If so, the auditor modifies the opinion.
10.2 Subsequent Events
Subsequent events are events that occur after the balance sheet date but before the auditor’s report is issued. CAS 560 requires the auditor to perform procedures specifically designed to identify and evaluate subsequent events.
Subsequent events procedures (performed near the report date) include:
- Reading minutes of board and audit committee meetings held after year-end
- Reviewing interim financial statements and management accounts prepared after year-end
- Inquiring of management about significant events, new commitments, or litigation after year-end
- Reviewing legal invoices and correspondence after year-end
- Reviewing contracts or agreements entered into after year-end
10.3 Going Concern
CAS 570 requires the auditor to evaluate whether the going concern assumption — the premise that the entity will continue operating for the foreseeable future, typically at least twelve months from the reporting date — is appropriate.
Indicators that raise substantial doubt about going concern:
| Financial Indicators | Operating Indicators |
|---|---|
| Net liability or net current liability position | Loss of key management without replacement |
| Fixed-term borrowings approaching maturity with no refinancing | Loss of a major market, key customer, or key supplier |
| Negative operating cash flows | Disruption of supply chain |
| Inability to pay suppliers on normal terms | Labor difficulties or major litigation |
| Breach of loan covenants | Changes in law or technology that jeopardize operations |
When substantial doubt exists, the auditor evaluates management’s plans to mitigate the risk. If management’s plans are sufficient to eliminate the substantial doubt, and the entity will disclose the circumstances, the auditor may issue an unmodified opinion with an Emphasis of Matter paragraph drawing attention to the going concern disclosure.
If substantial doubt remains — because management’s plans are insufficient or the entity will not make adequate disclosure — the auditor modifies the opinion (qualified, adverse, or disclaimer, depending on the circumstances).
10.4 Management Representations
Under CAS 580, the auditor obtains a written representation letter from management (typically signed by the CEO and CFO) as at the date of the auditor’s report. The letter confirms management’s:
- Responsibility for the preparation of fair financial statements
- Belief that the financial statements present fairly in accordance with the applicable framework
- Disclosure of all known fraud and suspected fraud
- Disclosure of all known litigation and contingent liabilities
- Confirmation that all related party transactions have been disclosed
- Confirmation that no events have occurred after the period end that require adjustment or disclosure, other than those already reflected or disclosed
Management representations are necessary but not sufficient evidence. They do not replace other procedures; rather, they confirm oral representations made during the audit and document management’s accountability.
Chapter 11: Audit Reports
11.1 The Standard Unmodified Auditor’s Report
An unmodified (clean) audit opinion indicates that the auditor has obtained sufficient appropriate evidence and has concluded that the financial statements present fairly, in all material respects, in accordance with the applicable financial reporting framework.
The CAS 700 auditor’s report includes the following required elements:
- Title: “Independent Auditor’s Report” — the word “independent” signals freedom from the client
- Addressee: Typically the shareholders or those charged with governance
- Auditor’s opinion: The positive statement of fair presentation
- Basis for opinion: Reference to CAS, statement that the audit was conducted in accordance with CAS, statement of independence, and a statement that sufficient appropriate evidence was obtained
- Key Audit Matters (KAMs) (required for listed entities under CAS 701): The matters that required the most significant auditor judgment; communicated to help users understand the most important areas of the audit
- Responsibilities of management: Management’s responsibility for preparing the financial statements and maintaining internal control
- Auditor’s responsibilities: The auditor’s responsibility to obtain reasonable assurance; explanation of the audit process (risk assessment, internal control understanding, procedures, estimates evaluation, disclosure evaluation)
- Signature, location, and date: The report date is the date on which the auditor has obtained sufficient appropriate evidence
11.2 Modified Opinions
When the auditor cannot issue an unmodified opinion, CAS 705 requires a modified opinion. The nature of the modification depends on the reason for modification and its pervasiveness.
| Basis for Modification | Not Pervasive | Pervasive |
|---|---|---|
| Material misstatement | Qualified opinion (“Except for…”) | Adverse opinion |
| Inability to obtain sufficient appropriate evidence (scope limitation) | Qualified opinion (“Except for our inability to…”) | Disclaimer of opinion |
Qualified Opinion
A qualified opinion states that, except for the described matter, the financial statements present fairly. It is used when the misstatement or scope limitation is material but not pervasive. The auditor adds a Basis for Qualified Opinion paragraph describing the matter before the opinion paragraph.
"In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion paragraph, the financial statements present fairly, in all material respects, the financial position of ABC Corp as of December 31, 20XX..."
Basis for Qualified Opinion paragraph: "The Company has not recognized an impairment loss on goodwill of \$3.2 million arising from the acquisition of XYZ Inc. in 20XX. Based on our evaluation of the recoverable amount of the associated cash-generating unit, we have determined that the goodwill is impaired by approximately \$3.2 million. Had this impairment been recognized, goodwill would be reduced by \$3.2 million and net income would be reduced by \$3.2 million."
Adverse Opinion
An adverse opinion is the most severe modification. The auditor states that the financial statements do not present fairly. This is rare in practice because management typically corrects material misstatements to avoid an adverse opinion, which would make the financial statements virtually unusable.
Disclaimer of Opinion
A disclaimer is issued when the auditor cannot form an opinion because of a scope limitation so pervasive that it precludes determining whether the financial statements as a whole present fairly. The auditor states that they do not express an opinion.
11.3 Emphasis of Matter and Other Matter Paragraphs
CAS 706 requires or permits the auditor to add explanatory paragraphs:
Emphasis of Matter (EOM) paragraph: Draws attention to a matter that is properly presented or disclosed in the financial statements but that is fundamental to users’ understanding. Placed immediately after the opinion paragraph. Examples: going concern uncertainty; a significant event such as a major acquisition; adoption of a new accounting standard with a material effect.
Other Matter (OM) paragraph: Relates to a matter other than those presented or disclosed in the financial statements that is relevant to users’ understanding of the audit, auditor’s responsibilities, or auditor’s report. Examples: prior-period financial statements audited by a different auditor; restrictions on the use of the report.
Chapter 12: Auditor Independence
12.1 Why Independence is the Cornerstone of Auditing
The value of an audit depends entirely on users’ confidence that the auditor’s opinion reflects an honest, objective assessment. If the auditor is financially or otherwise dependent on the client — or is perceived to be — users will discount the opinion. Independence therefore serves not just the auditor or the client but the entire capital market ecosystem.
Independence has two dimensions:
Both dimensions must be satisfied. A practitioner who is genuinely independent in mind but whose personal financial interests in the client make independence appear compromised has not met the standard.
12.2 Threats to Independence
The CPA Code of Professional Conduct (aligned with the IESBA Code) identifies five categories of threats:
| Threat | Description | Example |
|---|---|---|
| Self-interest | Financial or other interests in the client | Holding shares in an audit client; unpaid fees from a prior year |
| Self-review | Reviewing one’s own work as part of an assurance conclusion | Auditing financial statements that the CPA firm helped prepare |
| Advocacy | Promoting the client’s position or point of view | Acting as legal counsel or investment banker for the client |
| Familiarity | Being too sympathetic to the client’s interests because of close relationships | Long-standing personal friendship between audit partner and CFO |
| Intimidation | Being deterred from acting objectively by threats from the client | Client threatens to replace the auditor if a qualified opinion is issued |
12.3 Safeguards Against Threats to Independence
Safeguards are actions or conditions that can eliminate threats or reduce them to an acceptable level. They operate at three levels:
Profession- and standard-setting level: Requirements established by regulators and standard-setters that apply to all practitioners:
- Mandatory rotation of audit partners (every seven years for listed entities under Canadian rules)
- Prohibition on holding financial interests in audit clients
- Prohibition on certain non-audit services (bookkeeping, financial statement preparation) for audit clients that are public interest entities
- Required quality control reviews
Firm-level safeguards: Internal policies and procedures:
- Engagement quality reviews by partners not involved in the engagement
- Ethics and independence monitoring systems
- Partner rotation policies
- Second-partner reviews on high-risk engagements
Engagement-level safeguards: Actions taken on specific engagements:
- Removing the individual facing the threat from the engagement team
- Consulting with the firm’s ethics or independence partner
- Disclosing the matter to those charged with governance (the audit committee)
12.4 Prohibited Non-Audit Services
When the same firm provides both audit and non-audit services to a client, self-review and self-interest threats may arise. Regulators impose significant restrictions, particularly for public interest entities (listed companies, financial institutions):
Absolutely prohibited for audit clients (under many regulatory regimes, including PCAOB rules and CPA Code restrictions for public interest entities):
- Bookkeeping and accounting services
- Financial statement preparation
- Internal audit services for significant components
- Management functions (acting as an officer or director)
- Actuarial services that involve material estimates in the financial statements
- Broker-dealer, investment adviser, or investment banking services
- Legal services
- Recruiting senior management
Permitted with appropriate safeguards:
- Tax compliance services (with limitations)
- Transaction advisory (due diligence on acquisitions that are not audit clients)
- Training and education
- Agreed-upon procedures on non-financial information
Chapter 13: The Auditor’s Professional Responsibilities
13.1 Professional Skepticism
Professional skepticism is more than a mindset — it is an active, ongoing discipline that shapes every audit procedure and every evaluation of evidence.
Skepticism is not cynicism or automatic distrust of management. It is the disciplined refusal to accept assertions without corroborating evidence — especially when:
- Evidence comes only from the client (unconfirmed by external sources)
- Assertions concern estimates with significant uncertainty
- The assertion relates to an area of known fraud risk (revenue, complex financial instruments)
- Management is under pressure to report favorable results
- Prior audits have identified misstatements in the same area
The IAASB has increasingly emphasized that skepticism must be robustly documented — the auditor’s file must show not just what procedures were performed but how the auditor challenged management’s explanations and corroborated key assertions.
13.2 The Fraud Triangle and Auditor Responsibilities
CAS 240 requires the auditor to maintain an attitude of professional skepticism throughout the audit, recognizing that a material misstatement due to fraud may exist even if past experience suggests management is honest.
The fraud triangle (Cressey, 1953) identifies three conditions that commonly coexist in fraud situations:
1. Incentive/Pressure — The motivation to commit fraud (financial distress, performance bonuses, debt covenants, external analyst expectations)
2. Opportunity — The ability to commit and conceal fraud (weak controls, management override, lack of segregation of duties, complex transactions)
3. Rationalization — The perpetrator's ability to justify the behavior ("It was just a loan," "The company owes me," "Everyone does it")
The auditor uses knowledge of these conditions to assess fraud risk and design procedures that are specifically responsive to identified fraud risks, including:
- Unpredictability in procedure selection: Auditors should vary the nature, timing, and extent of procedures from year to year so that management cannot predict exactly what will be tested
- Journal entry testing: CAS 240 specifically requires the auditor to test journal entries and other adjustments for indicators of management override
- Revenue recognition skepticism: The rebuttable presumption under CAS 240 requires the auditor to explicitly treat revenue recognition as a fraud risk and design procedures accordingly
13.3 Communication with Those Charged with Governance
CAS 260 and CAS 265 govern the auditor’s communication responsibilities:
CAS 260 — Required communications to the audit committee (or equivalent):
- The auditor’s responsibilities under CAS
- Planned scope and timing of the audit
- Significant findings from the audit, including: significant qualitative aspects of accounting practices; significant difficulties encountered; any significant matters discussed with management; uncorrected misstatements; modified opinion circumstances; significant auditor judgments; going concern matters; related party matters
CAS 265 — Significant deficiencies in internal control: The auditor must communicate, in writing, any significant deficiencies identified during the audit to those charged with governance, and may also communicate other deficiencies to management.
Effective communication between the auditor and the audit committee is considered one of the most important aspects of audit quality. The audit committee (typically composed of independent directors with financial expertise) serves as the interface between the auditor and the board, providing oversight that management cannot provide for itself.
Chapter 14: Entry-Level Audit Tasks
14.1 The Role of the Junior Auditor
University graduates joining a CPA firm typically begin their careers as audit juniors or associates. They work under the supervision of seniors, managers, and partners, and are assigned specific tasks within a larger audit program. Entry-level tasks develop foundational skills in evidence evaluation, documentation, and professional communication.
Core competencies expected of a junior auditor:
- Understanding of the financial reporting framework (IFRS, ASPE) and the assertions embedded in each financial statement area
- Ability to design and perform specific audit procedures and document them in working papers
- Professional communication — clear, concise writing; appropriate tone in client interactions
- Attention to detail — the ability to identify exceptions and anomalies in large data sets
- Time management — meeting audit deadlines while maintaining quality
14.2 Common Junior Auditor Tasks
Vouching and Tracing
Vouching means tracing from the accounting record back to the supporting document — testing that recorded transactions are real (existence/occurrence):
From journal entry → to purchase order → to vendor invoice → to receiving report
Tracing means the opposite — moving from source documents forward into the accounting records — testing that all transactions are recorded (completeness):
From shipping document → to sales invoice → to accounts receivable record → to the general ledger
Footing and Cross-Footing
Footing means verifying the vertical total of a column of numbers. Cross-footing verifies that the sum of subtotals equals the grand total. These procedures test the accuracy assertion and are frequently automated using audit software, but junior auditors should understand the underlying concept.
Bank Reconciliation Review
The junior auditor typically:
- Agrees the balance per bank statement to the bank confirmation
- Agrees the balance per books to the general ledger
- Tests outstanding cheques: traces them to the outstanding cheques list in the prior-month reconciliation and verifies clearance in subsequent bank statements (unusual items may indicate kiting or fictitious payments)
- Tests deposits in transit: agrees them to subsequent bank statements
- Investigates unusual reconciling items
Accounts Receivable Confirmation Administration
Junior auditors draft confirmation letters, mail them directly (not through the client), maintain a log of responses, and follow up on non-responses and exceptions. Exceptions — differences between the balance confirmed by the customer and the balance per the client’s records — must be investigated and resolved.
Inventory Count Attendance
Under the supervision of a senior, the junior auditor:
- Arrives at the warehouse before counting begins and familiarizes themselves with the client’s count instructions
- Makes independent test counts of selected items (typically selected from both the count sheets and the physical inventory)
- Documents counts on their own working paper, not on the client’s count sheets
- Confirms that cutoff information (last shipping and receiving documents) is captured
14.3 Working Paper Documentation
All audit procedures must be documented. Well-prepared working papers exhibit:
- Clearly stated objective: Which assertion for which account is this procedure addressing?
- Description of the procedure: What was done, how many items were selected, how they were selected
- Source of information examined: “Agreed to vendor invoice #4521 dated November 3, 20XX”
- Conclusion: “No exceptions noted” or “Exception — see cross-reference W/P C-12”
- Preparer identification and date
- Reviewer sign-off
Working papers must be retained under CSQM 1 for a minimum period (typically five to seven years for audit files). In a legal dispute or regulatory inspection, the working papers are the primary evidence of what the auditor did — if it is not documented, regulators and courts will presume it was not done.
Chapter 15: Special Topics in Assurance
15.1 Audits of Not-for-Profit Organizations
Not-for-profit entities (NPOs) present unique audit challenges:
- Revenue is primarily from donations, grants, and government funding rather than arm’s-length commercial transactions
- Restricted funds must be spent only for specified purposes; auditors test fund accounting compliance
- The primary risk is misappropriation of assets (given the nature of NPO governance) and improper allocation of expenses between restricted and unrestricted funds
- The financial reporting framework for Canadian NPOs is ASPE Part III (Accounting Standards for Not-for-Profit Organizations, ASNPO)
15.2 Group Audits
When a parent entity has subsidiaries (collectively, a “group”), the group auditor (also called the principal auditor) is responsible for the group financial statements. CAS 600 governs group audits and requires the group engagement team to:
- Understand the group, its components, and their environments
- Identify and assess risks of material misstatement at the group level
- Determine which components require a full audit, a review, or specified procedures, based on their significance to the group
- Provide instructions to component auditors (if different firms audit subsidiaries) and evaluate their work
- Communicate clearly with component auditors and obtain their audit documentation
15.3 Service Organization Audits (CSAE 3416)
Many entities outsource key functions — payroll processing, cloud hosting, data management — to service organizations. The controls at the service organization may be relevant to the user entity’s financial reporting. CSAE 3416 allows service organization auditors to issue:
- Type 1 report: Description of the service organization’s system and the suitability of design of controls — at a point in time
- Type 2 report: Description and suitability of design plus operating effectiveness of controls over a specified period — provides much stronger assurance to user entity auditors
User entity auditors refer to Type 2 reports to reduce their own control testing when significant transaction processing is outsourced.
15.4 Sustainability and ESG Assurance
ESG (Environmental, Social, and Governance) assurance is one of the fastest-growing areas of assurance practice. Driven by regulatory requirements (e.g., the ISSB standards — IFRS S1 and IFRS S2 — and anticipated mandatory disclosure requirements from the Canadian Securities Administrators), companies are increasingly required to have their sustainability disclosures independently assured.
CSAE 3410 governs assurance on greenhouse gas statements. The principles are similar to financial statement auditing: the practitioner evaluates whether the reported GHG inventory is prepared in accordance with stated criteria (typically the GHG Protocol or ISO 14064), with reasonable or limited assurance.
Significant challenges in ESG assurance include:
- Criteria: Sustainability reporting standards are still evolving and less settled than financial accounting standards
- Data quality: Non-financial data collection systems are typically less mature than financial systems
- Scope 3 emissions: Indirect emissions in the supply chain are difficult to measure and verify
- Expertise: ESG assurance requires technical knowledge (engineering, environmental science) in addition to accounting and auditing skills
Summary: Key Takeaways for AFM 208
The Assurance Function: Assurance services reduce information asymmetry between management and users of financial information, lowering the cost of capital and protecting investors, lenders, and other stakeholders. The demand for assurance is rooted in agency theory; the supply is restricted to licensed CPA practitioners.
Types of Engagements: Audits provide reasonable (high, not absolute) assurance through a positive opinion; reviews provide limited assurance through a negative conclusion; agreed-upon procedure engagements report factual findings only. The choice of engagement type depends on user needs, the cost-benefit trade-off, and regulatory requirements.
The Audit Risk Model: \( AR = IR \times CR \times DR \) is the quantitative expression of audit logic. The auditor cannot change inherent risk but can assess it; can reduce control risk by testing internal controls; and adjusts detection risk by varying the nature, timing, and extent of substantive procedures.
Evidence Quality: Evidence is evaluated for sufficiency (quantity) and appropriateness (relevance and reliability). External, independently obtained evidence is more reliable than internal evidence. Inquiry alone is never sufficient for a significant assertion.
Internal Controls: The COSO framework structures internal controls across five components. Effective controls reduce the auditor’s substantive testing requirements. Significant deficiencies must be communicated in writing to those charged with governance.
Professional Responsibilities: Independence — in both mind and appearance — is non-negotiable. Professional skepticism requires active corroboration of assertions, not passive acceptance. Fraud risk is always present and requires specific responsive procedures.
Audit Reports: An unmodified opinion signals fair presentation. Modified opinions (qualified, adverse, disclaimer) reflect material misstatements or scope limitations. Emphasis of Matter and Key Audit Matter paragraphs provide additional transparency without modifying the opinion.
Entry-Level Skills: Vouching, tracing, footing, confirmation administration, inventory observation, and bank reconciliation review are the foundational tasks of the junior auditor. All work must be documented in working papers with clear objectives, procedures, findings, and conclusions.
