audit-financial-statements

Audit Financial Statements

Plan and execute a financial statement audit that provides reasonable assurance that financial statements are free from material misstatement.

Why This Is Best Practice

Adopted by: PCAOB standards apply to all auditors of US public companies (SEC requirement); AICPA GAAS applies to private company and non-profit audits in the US; ISA (IAASB) is adopted in 120+ countries; Big Four (Deloitte, PwC, EY, KPMG) audited 99% of Fortune 500 companies. Impact: Audited financial statements reduce cost of capital by 50–150bp vs. unaudited (credibility premium); PCAOB inspections find deficiencies in 30–40% of audits annually, showing ongoing need for rigorous methodology; audit failures cost firms billions in litigation and regulatory fines (Arthur Andersen/Enron). Why best: An audit is a structured, evidence-based process for achieving reasonable assurance — not a guarantee, but the most rigorous financial verification process available to external stakeholders.

Sources: PCAOB AS 2101 (Audit Planning), AS 2301 (Auditor's Response to Risks), AS 2401 (Consideration of Fraud); AICPA AU-C Sections 200–940; ISA 200–810.

Steps

1. Accept the engagement and assess independence — confirm auditor independence (no financial interest, no family employment at client, no fee contingencies), evaluate client risk (integrity of management, business complexity), and execute engagement letter specifying scope, fee, and timeline.

2. Obtain understanding of the entity — document: industry and regulatory environment, business model and revenue streams, internal controls structure, organizational structure, related party relationships, and prior audit findings. This is the foundation for risk assessment.

3. Perform risk assessment procedures — identify and assess risks of material misstatement (RMM) at the financial statement level and assertion level. Distinguish: inherent risk (susceptibility of assertion to misstatement) and control risk (probability that controls won't prevent/detect misstatement).

4. Assess the risk of fraud — perform brainstorming session among engagement team about fraud risks (required by AS 2401/ISA 240). Identify specific fraud risks for revenue recognition, management override of controls, and asset misappropriation. Design procedures to address each.

5. Develop the audit plan — for each significant account and assertion (existence, completeness, accuracy, cut-off, valuation, classification, presentation), design a mix of: tests of controls (if relying on controls) and substantive procedures (tests of details and analytical procedures).

6. Test internal controls (if relying on them) — for controls the audit team intends to rely on, test design effectiveness (is the control designed to prevent/detect misstatement?) and operating effectiveness (has the control operated consistently throughout the period?).

7. Perform substantive testing — execute: (a) Analytical procedures: compare current year to prior year, budget, and industry benchmarks; investigate variances >materiality threshold. (b) Tests of details: vouching (trace recorded amounts to supporting documents), tracing (trace source documents to accounting records), confirmation (external party verification for receivables, cash, investments).

8. Test for cut-off and completeness — verify that transactions are recorded in the correct period: review transactions near year-end ±30 days; test goods received but not invoiced (GR/NI) accruals; test revenue recognition timing; confirm deferred revenue completeness.

9. Evaluate audit findings and uncorrected misstatements — accumulate identified misstatements; compare to materiality and performance materiality; request management to correct material misstatements; evaluate the effect of uncorrected misstatements on the financial statements.

10. Issue the audit opinion — draft the audit report with an opinion: Unmodified (clean), Qualified (except for one specific matter), Adverse (materially misstated), or Disclaimer (unable to obtain sufficient evidence). The report must comply with PCAOB AS 3101 or AICPA AU-C 700 format.

Rules

• Document every procedure performed, evidence obtained, and conclusion reached — "if it's not in the workpapers, it didn't happen."
• Materiality must be established before fieldwork and applied consistently throughout the audit.
• Confirm significant account balances with external parties; do not rely solely on client-prepared schedules.
• Maintain professional skepticism throughout — do not accept explanations without corroborating evidence.

Common Mistakes

• Insufficient fraud risk assessment — treating fraud as an abstract risk rather than assessing specific schemes applicable to the engagement.
• Over-reliance on analytical procedures — analytics identify areas for further testing; they are not sufficient alone for high-risk assertions.
• Poor documentation of professional judgment — documenting what was done without documenting why specific risks were assessed as low leaves the audit vulnerable to regulatory inspection.
• Tunnel vision on prior year approach — repeating prior year audit procedures without reassessing current year risks misses changes in business model, controls, or personnel.

When NOT to Use

• When a review engagement (negative assurance, limited procedures) or compilation (no assurance) is sufficient for the user's needs.
• When conducting an internal audit (different standards — IIA Standards apply; different objective than external audit).
• When the goal is forensic accounting or fraud investigation (different objective and procedures than a financial statement audit).