ACC 640 Milestone Two Guidelines and Rubric

Overview

This milestone will give you practice using generally accepted auditing standards (GAAS) to plan an audit by filling in various sections of a working paper. You will revise this milestone in response to instructor feedback and resubmit it as part of Project One.

Scenario

The CPA firm of Penmen Associates is planning to take over the audit of financial statements of Keystone Enterprises. As a senior auditor for the firm, you have been tasked with evaluating Keystone, using GAAS, best practices and risk assessment techniques to identify the objectives and scope of the audit for this client. After completion, Penmen Associates will ask you to prepare for the audit. You will gain an understanding of Keystone's internal control structure, financial accounts, business environment, materiality, and any inherent risks that may impact the company. You will also review external and other factors.

Directions

A working paper is an informational report prepared by accountants and auditors as supporting documents for formal reports and financial statements. Note that rubric criterion #1 below references the risk assessment completed in Milestone One. If you did not complete Milestone One, you must complete the risk assessment portion to satisfy this criterion.

Specifically, you must address the following rubric criteria:

Using the Keystone financial data and the AS 2110 standard provided in the Supporting Materials section, analyze the company data.

1. Describe the next steps in the audit based on the risk assessment. Consider the following:
   1. How do the internal and external risk factors inform the audit to be performed?
2. Determine the audit tests needed through financial data analysis. Include the following:
   1. What tests are needed?
   2. What issues were found warranting the need for selected tests?
3. Analyze audit evidence for errors from financial data. Include the following:
   1. Found errors
   2. Impact of errors on the external audit
   3. Explanation of possible errors from financial data
4. Describe how these audit strategies support the client profile and risk areas.
5. Determine evidence needed for substantive testing and risk assessment based on audit findings. Consider the following:
   1. What other sample reports or materials need to be requested to fulfill this audit?

Working Paper

Use the Milestone Two Working Paper Template

Supporting Materials Refer to the following statements for this assignment:

• .06 and .07
• .09 and .10
• .15
• .18 and .19
• .23 and .24
• .28
• .39

Keystone Financial Data

Keystone Consolidated Statement of Income For the year ended For the year ended December 31, 2025 December 31, 2024 Revenues S 364,953,846 S 345,965,385 Costs and expenses: Cost of sales 222,496,154 207,838,462 Selling and administrative 104,450,000 100,246,154 Interest expense 1,257,692 1,730,769 Other (income)/expense, net 1,311,539 796,154 Total costs and expenses 329,515,385 310,611,539 Income before income taxes 35,438,461 35,353,846 Income taxes 12,757,692 13,080,769 Net income S 22,680,769 S 22,273,077Keystone Consolidated Balance Sheet ASSETS December 31, 2025 December 31, 2024 Current assets: Cash and cash equivalent 11,692,308 9,780,769 Accounts receivable, less allowance for doubtful accounts of $2,773,077 and $2,515,385 62,361,538 60,361,539 Trading securities (Inventory) 54,773,077 55,615,385 Investments (Derivatives) 14,460,577 14,852,885 Deferred income taxes 3,357,692 3,288,461 Prepaid expenses and other current assets 5,250,000 6,923 Total current assets 151,895,192 151,175,962 Property and equipment, net 62,261,539 50,900,000 Identifiable intangible assets and goodwill, net 3,820,192 3,950,961 Deferred income taxes and other assets 5,853,846 9,238,462 Total assets $ 223,830,769 225,265,385 LIABILITIES AND SHAREHOLDERS' EQUITY Current liabilities: Current portion of long-term debt 207,692 1,926,923 Notes payable 28,896,154 35,546,154 Accounts payable 20,615,385 20,915,385 Accrued liabilities 18,157,692 23,336,581 Income taxes payable 842,308 582,650 Total current liabilities 68,719,231 82,307,693 Long-term debt 16,765,384 18,088,462 Deferred income taxes and other liabilities 3,942,308 4,253,846 Shareholders' equity Common stock at par value 107,692 107,692 Capital in excess of par value 17,669,231 14,192,308 Unearned stock compensation 380,769) 0,000 Accumulated other comprehensive income 5,850,000) (4,273,077 Retaining earnings 122,857,692 111,038,461 Total shareholders' equity 134,403,846 120,615,384 Total liabilities and shareholders' equity 223,830,769 225,265,385Keystone Condensed Cash Flow Statement Cash provided by operations Cash used by investing activities Cash used by financing activities Effect of exchange rate changes on cash Net increase in cash and cash equivalents Cash and cash equivalents, beginning of year Cash and cash equivalents, end of year I *Includes dividends paid of $4,988,462 in 2025 and $5,119,231 in 2024 ] Keystone Liquidity Ratios 2025 2024 Current ratio = CA/CL 151,895,192 = 2.21 151,175,962 = 1.84 68,719,231 82,307,693 Acid-test (quick) ratio = Liquid assets/CL 11,692,308+62,361,538 = 1.08 9,780,769+60,361,539 =0.85 68,719,231 82,307,693 Inventory turnover in days 365 + 222,496,154 = 90.6 days 365 + 207,838,462 =97.6 days (54,773,077+55,615,385)/2 55,615,385 Receivables turnover in days 365 + 364,953,846 = 61.3 days 365 + 345,965,385 = 63.7 days (62,361,538+60,361,539)/2 60,361,539 Payables turnover in days 365 + 222,496,154 = 34.1 days 365 + 207,838,462 = 36.8 days (20,615,385+20,915,385)/2 20,915,385 Gross operating cycle 61.3 + 90.6 = 151.9 days 63.7 + 97.6 = 161.3 days Net operating cycle 151.9 -34.1 =117.8 days 161.3 -36.8 = 124.5 days Solvency ratios Debt to equity 89,426,923 = 66.5% 104,650,001 = 86.7% 134,403,846 120,615,384 Times interest earned 35,438,461 + 1,257,692 = 29.2 35,353,846 + 1,730,769 = 21.4 1,257,692 1,730,769 Profitability ratios Gross profit margin 364,953,846-222,496,154 = 39.0% 345,965,385-207,838,462 = 39.9% 364,953,846 345,965,385 Profit margin 22,680,769 = 6.2% 22,273,077 = 6.4% 364,953,846 345,965,385 Return on assets 22,680,769 = 10.1% 22,273,077 =9.9% (223,830,769+225,265,385)/2 225,265,385 Return on stockholders equity 22,680,769 = 17.7% 22,273,077 = 18.5% (134,403,846+120,615,384)/2 120,615,384ACC 640 AS 2110 Standard Identifying and Assessing Risks of Material Misstatement This standard establishes requirements regarding the process of identifying and assessing risks of material misstatement of financial statements. Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company's industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framewaork. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors. This standard discusses the following risk assessment procedures: 06 In an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. The auditor's risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements. Obtaining an Understanding of the Company and Its Environment 07 The auditor should obtain an understanding of the company and its environment (\"understanding of the company\") to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining an understanding of the company includes understanding: a. Relevant industry, regulatory, and other external factors. b. The nature of the company. . The company's selection and application of accounting principles, including related disclosures. d. The company's objectives and strategies and those related business risks that might reasonably be expected to result in risks of material misstatement; and e. The company's measurement and analysis of its financial performance. Industry, Regulatory, and Other External Factors .09 Obtaining an understanding of the relevant industry, regulatory, and other external factors encompass industry factors, including the competitive environment and technological developments; the regulatory environment, including the applicable financial reporting framework and the legal and political environment; and external factors, including general economic conditions. Nature of the Company 10 Obtaining an understanding of the nature of the company includes understanding: * The company's organizational structure and management personnel. * The sources of funding for the company's operations and investment activities, including the company's capital structure, noncapital funding (e.g., subordinated debt or dependencies on supplier financing), and other debt instruments. = The company's significant investments, including equity method investments, joint ventures, and variable interest entities. The company's operating characteristics, including its size and complexity. Mote: The size and complexity of a company might affect the risks of misstatement and how the company addresses those risks. = The sources of the company's earnings, including the relative profitability of key products and services; and = Key supplier and customer relationships. Company Objectives, Strategies, and Related Business Risks Note: Some relevant business risks might be identified through other risk assessment procedures, such as obtaining an understanding of the nature of the company and understanding industry, regulatory, and other external factors. 15 The following are examples of situations in which business risks might result in a material misstatement of the financial statements: * Industry developments (a potential related business risk might be, e.g., that the company does not have the personnel or expertise to deal with the changes in the industry.) = New products and services (a potential related business risk might be, e.g., that the new product or service will not be successful.) = Use of information technology (\"IT") (a potential related business risk might be, e.g., that systems and processes are incompatible.) = New accounting requirements (a potential related business risk might be, e.g., incomplete, or improper implementation of a new accounting requirement.) = Expansion of the business (a potential related business risk might be, e.g., that the demand for the company's products or services has not been accurately estimated.) = The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements (a potential related business risk might be, e.g., incomplete, or improper implementation of the strategy.) Obtaining an Understanding of Internal Control Over Financial Reporting 18 The auditor should obtain a sufficient understanding of each component of internal control over financial reporting ("understanding of internal control\") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. .19 The nature, timing, and extent of procedures that are necessary to obtain an understanding of internal control depend on the size and complexity of the company; the auditor's existing knowledge of the company's internal control over financial reporting; the nature of the company's controls, including the company's use of IT; the nature and extent of changes in systems and operations; and the nature of the company's documentation of its internal control over financial reporting. Procedures the auditor performs to obtain evidence about design effectiveness include inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs, as described in paragraphs .37-.38, that include these procedures ordinarily are sufficient to evaluate design effectiveness. Note: Determining whether a control has been implemented means determining whether the control exists and whether the company is using it. The procedures to determine whether a control has been implemented may be performed in connection with the evaluation of its design. Procedures performed to determine whether a control has been implemented include inquiry of appropriate personnel, in combination with observation of the application of controls or inspection of documentation. Control Environment .23 The auditor should obtain an understanding of the company's control environment, including the policies and actions of management, the board, and the audit committee concerning the company's control environment. .24 Obtaining an understanding of the control environment includes assessing: * Whether management's philosophy and operating style promote effective internal control over financial reporting. * Whether sound integrity and ethical values, particularly of top management, are developed and understood; and * Whether the board or audit committee understands and exercises oversight responsibility over financial reporting and internal control. The Company's Risk Assessment Process Obtaining an understanding of the company's risk assessment process includes obtaining an understanding of the risks of material misstatement identified and assessed by management and the actions taken to address those risks. Information and Communication .28 Infarmation System Relevant to Financial Reporting. The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including: f. The classes of transactions in the company's operations are significant to the financial statements. g. The procedures, within both automated and manual systems, by which those transactions are initiated, authorized, processed, recorded, and reported. h. The related accounting records, supporting information, and specific accounts in the financial statements that are used to initiate, authorize, process, and record transactions. i. How the information system captures events and conditions, other than transactions, that are significant to financial statements. j- Whether the related accounts involve accounting estimates and if so, the processes used to develop accounting estimates, including: o The methods used may include models. o The data and assumptions used, including the source from which they are derived; and o The extent to which the company uses third parties (other than specialists), including the nature of the service provided and the extent to which the third parties use company data and assumptions; and k. The period-end financial reporting process. The auditor also should obtain an understanding of how IT affects the company's flow of transactions. The identification of risks and controls within IT is not a separate evaluation. Instead, it is an integral part of the approach used to identify significant accounts and disclosures and their relevant assertions and, when applicable, to select the controls to test, as well as to assess risk and allocate audit effort. Control Activities The auditor should obtain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement and to design further audit procedures, as described in paragraph .18 of this standard. As the auditor obtains an understanding of the other components of internal control over financial reporting, he or she is also likely to obtain knowledge about some control activities. The auditor should use his or her knowledge about the presence or absence of control activities obtained from the understanding of the other companents of internal contral over financial reporting in determining the extent to which it is necessary to devote additional attention to obtaining an understanding of control activities to assess the factors that affect the risks of material misstatemeant and to design further audit procedures. Mote: A broader understanding of control activities is needed for relevant assertions for which the auditor plans to rely on controls. Also, in the audit of internal control over financial reparting, the auditor's understanding of control activities encompasses a broader range of accounts and disclosures than what is normally obtained in a financial statement audit. Monitoring of Controls The auditor should obtain an understanding of the major types of activities that the company uses to monitor the effectiveness of its internal control over financial reporting and how the company initiates corrective actions related to its controls. An understanding of the company's monitoring activities includes understanding the source of the information used in the monitoring activities. Performing Walkthroughs As discussed in paragraph .20, the auditor may perform walkthroughs as part of obtaining an understanding of internal control over financial reporting. For example, the auditor may perform wialkthroughs in connection with understanding the flow of transactions in the information system relevant to financial reporting, evaluating the design of controls relevant to the audit, and determining whether those controls have been implemented. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and IT that company personmel use. Walkthrough procedures usually include a combination of inquiry, cbservation, an inspection of relevant documentation, and re-performance of controls. Relationship of Understanding of Internal Control to Tests of Controls .38 The objective of obtaining an understanding of internal control, as discussed in paragraph .18 of this standard, is different from testing controls for the purpose of assessing control risk or for the purpose of expressing an opinion on internal control over financial reporting in the audit of internal cantral over financial reporting. The auditor may obtain an understanding of internal control cancurrently with performing tests of controls if he or she obtains sufficient appropriate evidence to achieve the objectives of both procedures. Also, the auditor should consider the evidence obtained from understanding internal control when assessing control risk and, in the audit of internal control over Client Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of next steps]. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness. Type of Control What occurs if the control is working What audit How does the control Possible Risks Proposed Internal Control / How to test the What happens if the Next Steps Manual/ Frequency? properly and what standard(s) improve operating Description Preventive/ control? audit standard control is not working? apply? effectiveness? Detective Automated applies? Next Steps dentify the next steps and Identify the control objective and Vote whether control is |Identify whether the control activity is | Indicate the Indicate whether What outcomes What outcomes occur if What Indicate how the control elated financial statement description of procedures in place that |preventive (i.e., acts performed manually (e.g., manual frequency in the control is occur if the control the control is not applicable improves operating risks (Existence or s relevant to mitigate the identified before error, omission, |authorization or review of a which the designed effectively works effectively? working properly or is Statement of Effectiveness Occurrence, Completeness, risk of material misstatement and or misstatement may econciliation), is automated (i.e., control takes i.e., is the control, deficient? Standards for Valuation, Rights and achieve the objective. Include a occur) or detective system edit checks, system access place (e.g-, individually or in Attestation Obligations, Presentation detailed description of the control acts after estrictions and authorizations, annual, combination with Note: Design deficiency Engagements and Disclosure, Accuracy, procedures noting the following: error/misstatement has | automated review and approvals, quarterly, other controls, occurs when the control apply? Classification, Cutoff that 1) Who performs the control occurred). etc.), or performed manually using monthly, daily, capable of is not effectively designed are applicable procedures? system generated information (i.e., every time a effectively to meet its objective 2) How is/are the procedure(s) physically verifying existence of transaction is mitigating the key (e.g., the control performed? inventory using system generated processed). risk(s) of material individually or in 3) How is the performance of the inventory report). misstatement and combination with other control activity documented (i.e., what achieving the controls, is not capable forms are used) control objective?) of effectively preventing 4) How is performance of the control or detecting and activity evidenced (i.e., signature and correcting material date on form)? misstatements). 1. Reviewing the draft audit report 2. Asking questions about auditor's findings 3. Evaluating any recommendations before they are presented to the board in the final reportClient Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of audit tests needed]. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness Type of Control What occurs if the What audit How to test the control is working How does the control Possible Risks Proposed Internal Control / What happens if the Audit Tests Needed Preventive/ Manual/ Frequency? properly and what standard(s) improve operating Description control? control is not working? audit standard apply? effectiveness? Detective Automated applies? Audit Tests Needed Identify the audit tests dentify the control objective and Vote whether control Identify whether the control Indicate the ndicate whether What outcomes What outcomes occur What Indicate how the control needed and related description of procedures in place is preventive (i.e., acts | activity is performed manually frequency in the control is occur if the control if the control is not applicable improves operating financial statement risks that is relevant to mitigate the before error, e.g., manual authorization or which the designed works effectively? working properly or is Statement of effectiveness. (Existence or Occurrence, identified risk of material omission, or eview of a reconciliation), is control takes effectively (i.e., is deficient? Standards for Completeness, Valuation, misstatement and achieve the misstatement may automated (i.e., system edit checks, place (e.g., the control, Attestation Rights and Obligations, objective. Include a detailed occur) or detective system access restrictions and annual, ndividually or in Note: Design deficiency |Engagements Presentation and description of the control facts after authorizations, automated review quarterly, combination with occurs when the apply? Disclosure, Accuracy, procedures noting the following: error/misstatement and approvals, etc.), or performed monthly, other controls, control is not Classification, Cutoff 1) Who performs the control has occurred). manually using system generated daily, every capable of effectively designed to that are applicable. procedures? information (i.e., physically time a effectively meet its objective (e.g., 2) How is/are the procedure(s) verifying existence of inventory transaction is mitigating the key the control, performed? using system generated inventory processed) risk(s) of material individually or in 3) How is the performance of the report). misstatement and combination with control activity documented (i.e., achieving the other controls, is not what forms are used)? control capable of effectively 4) How is performance of the control objective?). preventing or activity evidenced (i.e., signature detecting and and date on form)? correcting material misstatements 1. Inquiry 2. Observation 3. Examination 4. Re-performance 5. Computer-assisted audit techniques (CAAT)Client Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of errors. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness. Type of Control What occurs if the control is working What audit How does the control Proposed Internal Control / How to test the What happens if the Errors Possible Risks improve operating Description Preventive/ Manual/ Frequency? properly and what standard(5) control? audit standard control is not working? apply? effectiveness? Detective Automated applies? Errors Identify any errors and the Identify the control objective and Note whether control Identify whether the control activity Indicate the Indicate whether What outcomes What outcomes occur if What Indicate how the control related financial statement | description of procedures in place is preventive (i.e., acts is performed manually (e.g., manual frequency in the control is occur if the control the control is not applicable improves operating risks (Existence or hat is relevant to mitigate the before error, omission, authorization or review of a which the designed effectively | works effectively? working properly or is Statement of effectiveness. Occurrence, Completeness, identified risk of material or misstatement may reconciliation), is automated (i.e., control takes i.e., is the control, deficient? Standards for Valuation, Rights and misstatement and achieve the occur) or detective system edit checks, system access place (e.g., individually or in Attestation Obligations, Presentation objective. Include a detailed facts after restrictions and authorizations, annual, combination with Note: Design deficiency Engagements and Disclosure, Accuracy, description of the control procedures error/misstatement automated review and approvals, quarterly, other controls occurs when the control apply? Classification, Cutoff) that noting the following: has occurred). etc.), or performed manually using monthly, daily, capable of 's not effectively are applicable. 1) Who performs the control system generated information (i.e-, every time a effectively designed to meet its procedures? physically verifying existence of transaction is mitigating the key objective (e.g., the 2) How is/are the procedure(s) inventory using system generated processed) risk(s) of material control, individually or in performed? inventory report). misstatement and combination with other 3) How is the performance of the achieving the controls, is not capable control activity documented (i.e., objective?). of effectively preventing what forms are used)? or detecting and 4) How is performance of the control correcting material activity evidenced (i.e., signature and misstatements). 1. Error of principle 2. Errors of commission 3. Errors of omission 4. Errors of duplication 5. Compensating errorsClient Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of audit strategies. To map each of the questions with the possible risks and proposed control objective/description. To document the ype of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness. Type of Control What occurs if the control is working What audit How does the control Proposed Internal Control / How to test the properly and what What happens if the Audit Strategies Possible Risks Frequency? standard(s) improve operating Description Preventive/ Manual/ control? audit standard control is not working? apply? effectiveness? Detective Automated applies? Audit Strategies Identify the audit Identify the control objective and Vote whether control Identify whether the control activity Indicate the Indicate whether What outcomes What outcomes occur if What Indicate how the control strategies and related description of procedures in place 's preventive (i.e., acts is performed manually (e.g., manual frequency in the control is occur if the control the control is not applicable improves operating financial statement risks that is relevant to mitigate the before error, omission, authorization or review of a which the designed effectively | works effectively? working properly or is Statement of Effectiveness Existence or Occurrence, identified risk of material or misstatement may reconciliation), is automated (i.e., control takes i.e., is the control, deficient? Standards for Completeness, Valuation, misstatement and achieve the occur) or detective system edit checks, system access place (e.g., individually or in Attestation Rights and Obligations, objective. Include a detailed facts after estrictions and authorizations, annual ombination with Note: Design deficiency Engagements Presentation and description of the control procedures error/misstatement automated review and approvals, quarterly, other controls, occurs when the control apply? Disclosure, Accuracy, noting the following: has occurred). etc.), or performed manually using monthly, daily, capable of is not effectively Classification, Cutoff) that 1) Who performs the control system generated information (i.e-, every time a effectively designed to meet its are applicable. procedures? physically verifying existence of transaction is mitigating the key objective (e.g., the 2) How is/are the procedure(s) inventory using system generated processed) risk(s) of material control, individually or in performed? inventory report). misstatement and combination with other 3) How is the performance of the achieving the controls, is not capable control activity documented (i.e., control objective?). of effectively preventing what forms are used)? or detecting and 4) How is performance of the control correcting material activity evidenced (i.e., signature and misstatements). date on form)? 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 4. Logical principles 5. RequirementsClient Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of evidence needed. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness. Type of Control What occurs if the control is working What audit How does the control How to test the What happens if the Evidence Needed Possible Risks Proposed Internal Control / Frequency? properly and what standard(s) improve operating Description Preventive/ Manual/ control? audit standard control is not working? apply? effectiveness? Detective Automated applies? Evidence Needed Identify the evidence Identify the control objective and Note whether control Identify whether the control activity Indicate the Indicate whether What outcomes What outcomes occur if |What Indicate how the control needed and related description of procedures in place is preventive (i.e., acts 's performed manually (e.g., manual frequency in the control is occur if the control the control is not applicable mproves operating financial statement risks that are relevant to mitigate the before error, omission, authorization or review of a which the designed effectively | works effectively? working properly or is Statement of effectiveness. Existence or Occurrence, dentified risk of material or misstatement may reconciliation), is automated (i.e., control takes i.e., is the control, deficient? Standards for Completeness, Valuation, misstatement and achieve the occur) or detective system edit checks, system access place (e.g., individually or in Attestation Rights and Obligations, objective. Include a detailed (acts after restrictions and authorizations, annual, combination with Note: Design deficiency Engagements Presentation and description of the control procedures error/misstatement automated review and approvals, quarterly, other controls, occurs when the control apply? Disclosure, Accuracy, noting the following: has occurred). etc.), or performed manually using monthly, daily, capable of 's not effectively Classification, Cutoff) that 1) Who performs the control system generated information (i.e., every time a effectively designed to meet its are applicable. procedures? physically verifying existence of transaction is mitigating the key objective (e.g., the 2) How is/are the procedure(s) inventory using system generated processed) risk(s) of material control, individually or in performed? inventory report). misstatement and combination with other 3) How is the performance of the achieving the controls, is not capable control activity documented (i.e., control objective?). of effectively preventing what forms are used)? or detecting and 4) How is performance of the control correcting material activity evidenced (i.e., signature and misstatements). 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 4. Logical principles 5. Requirements