ACC 640 Milestone Two Guidelines and Rubric

The CPA firm of Penmen Associates is planning to take over the audit of financial statements of Keystone Enterprises. As a senior auditor for the firm, you have been tasked with evaluating Keystone, using GAAS, best practices and risk assessment techniques to identify the objectives and scope of the audit for this client. After completion, Penmen Associates has asked you to prepare for the audit. You will gain an understanding of Keystone's internal control structure, financial accounts, business environment, materiality, and any inherent risks that may impact the company. You will also review external and other factors.

A working paper is an informational report prepared by accountants and auditors as supporting documents for formal reports and financial statements. Note that rubric criterion #1 below references the risk assessment completed in Milestone One. If you did not complete Milestone One, you will need to complete the risk assessment portion in order to satisfy this criterion.

Financial Data:

Keystone Consolidated Statement of Income For the year ended For the year ended _ December 31, 2025 December 31, 2024 Revenues g 364,953,846 100% g 345,965,385 100% Costs and expenses: - Cost of sales 222,495,154 | e0o7%| 207838462| 0000000 | 60.07% selling and administrative 104,450,000 | 2862%| 100245154 00 | 23.98%] Other (income)/expense, n 1,311,539 0.36% 796,154 0.23% Total costs and expenses 329,515,385 - 310,611,539 Income before income taxes 35,438,461 9.71% 35,353,846 10.22% Income taxes 12,757,692 | 350%| [ = 13080769 | 3.78%] Keystone Consolidated Balance Sheet ASSETS December 31, 2025 December 31, 2024 Current assets: Cash and cash equivalents 11,692,308 9,780,769 Accounts receivable, less allowance for doubtful accounts of $2,773,077 and $2,515,385 62,361,538 60,361,539 Trading securities (Inventory) 54,773,077 65,615,385 Investments (Derivatives 14,460,577 14,852,885 Deferred income taxes 3,357,692 3,288,461 Prepaid expenses and other current assets 5,250,000 7,276,923 Total current assets 151,895,192 151,175,962 Property and equipment, net 62,261,539 60,900,000 Identifiable intangible assets and goodwill, net 3,820,192 3,950,961 Deferred income taxes and other assets 5,853,846 9,238,462 Total assets S 223,830,769 225,265,385 LIABILITIES AND SHAREHOLDERS' EQUITY Current liabilities: Current portion of long-term debt 207,692 1,926,923 Notes payable 28,896,154 35,546,154 Accounts payable 20,615,385 20,915,385 Accrued liabi ,157,692 23,336,581 Income taxes payable 842,308 582,650 Total current liabilities 68,719,231 82,307,693 Long-term debt 16,765,384 18,088,462 Deferred income taxes and other liabilities 3,942,308 4,253,846 Shareholders' equity Common stock at par value 107,692 107,692 Capital in excess of par value 669,231 ,192,308 Unearned stock compensation (380,769) (450,000) Accumulated other comprehensive income 5,850,000) 4,273,077 Retaining earnings 122,857,692 111,038,461 Total shareholders' equity 134,403,846 120,615,384 Total liabilities and shareholders' equity $ 223,830,769 $ 225,265,385Cash provided by operations Cash used by investing activities Cash used by financing activities* Effect of exchange rate changes on cash 3,284,616 Met increase in cash and cash equivalents 1,911,539 Cash and cash equivalents, beginning of year 9,780,769 Cash and cash equivalents, end of year *Includes dividends paid of $4,988,462 in 2025 and $5,119,231 in 2024 Keystone Condensed Cash Flow Statement For the year ended December 31, 2025 25,250,000 (13,165,385 (13,457,692 L 5 11,692,308 | S o i 0 3 o 1] = W = M o M [ f9 A. Company Structure Risks High Competition and Price Sensitivity Keystone operates in a highly competitive financial services industry. Strategies like adjusting prices to maintain market share have at times negatively impacted performance, reflecting potential instability. Cybersecurity Risks Dependence on Key Personnel Outsourcing Dependence B. Due Diligence Risk Revenue Recognition Issues Increased remote work due to COVID-19 has expanded the network footprint, raising the risk of cyberattacks. Existing cybersecurity measures may not be sufficient to counteract evolving threats. Keystone relies heavily on attracting and retaining qualified personnel, posing a risk if key employees leave or if recruiting new talent proves difficult in a tight labor market. Keystone's reliance on third-party vendors for critical services (regulatory, data center, cloud, data storage) means any disruption or failure by these third parties could adversely affect operations. Despite an unqualified opinion on internal controls, a critical item related to revenue recognition highlights potential issues in correctly allocating contract transaction prices to performance obligations. Recent Loan Acquisition C. Client Risk Profile Expansion and Acquisition Risk Regulatory Compliance The 57 million loan for expansion increases financial leverage and repayment obligations, potentially impacting liquidity and financial stability. The acquisition of XBroker and expansion plans introduce integration challenges and operational risks. Adapting to new SEC regulations and maintaining compliance can impact Keystone's operations and profitability A. Industry and Market Risks Competitive Market The financial services industry is marked by intense competition and rapid technological changes, affecting Keystone's market share and profitability. Global Operations B. Regulatory Standards Keystone's operations in Canada and Japan expose it to political, economic, and social uncertainties, which can impact financial results. SEC Regulations Compliance with various SEC regulations, including trading practices and financial reporting, is mandatory. Changes in regulations could affect operations and reporting requirements. SOX Compliance Keystone must comply with Sarbanes-Oxley Act requirements, adding complexity to the audit process. C. Client Risk Profile Technological Dependence Economic Fluctuations Keystone's reliance on advanced trading technology and data products necessitates ongoing investment and management of technology-related risks. The company's performance is sensitive to economic conditions and market volatility, affecting trading volumes and revenue. Type of Control What occurs if the control is working What audit How does the control How to test the What happens if the Next Steps Possible Risks Proposed Internal Control / Description Manual/ properly and what standard(s) Preventive/ Frequency? improve operating control: control is not working? audit standard effectiveness? Automated apply? Detective applies? Next Steps Identify the next steps and Identify the control objective and Note whether control is Identify whether the control activity is Indicate the Indicate whether the What outcomes occur | What outcomes occur if What Indicate how the control related financial statement description of procedures in place that is |preventive (i.e., acts performed manually (e.g., manual frequency in control is designed f the control works the control is not working applicable improves operating risks ( Existence or relevant to mitigate the identified risk of |before error, omission, authorization or review of a reconciliation), is which the effectively (i.e., is the effectively? properly or is deficient? Statement of effectiveness. Occurrence, Completeness, material misstatement and achieve the or misstatement may automated (i.e., system edit checks, system control takes control, individually Standards for Valuation, Rights and objective. Include a detailed description occur) or detective (acts access restrictions and authorizations, place (e.g., or in combination Note: Design deficiency Attestation Obligations, Presentation of the control procedures noting the after error/misstatement automated review and approvals, etc.), or annual, with other controls, occurs when the control is Engagements and Disclosure, Accuracy, following: has occurred). performed manually using system generated quarterly, capable of effectively not effectively designed to | apply? Classification, Cutoff) that 1) Who performs the control information (i.e., physically verifying monthly, daily, mitigating the key meet its objective (e.g., the are applicable. procedures existence of inventory using system every time a risk(s) of material control, individually or in 2) How is/are the procedure(s) generated inventory report). transaction is misstatement and combination with other performed? [processed) achieving the control controls, is not capable of 3) How is the performance of the control objective?). effectively preventing or activity documented (i.e., what forms are detecting and correcting used) ? material misstatements). 4) How is performance of the control activity evidenced (i.e., signature and date on form)? 1. Reviewing the draft audit report Detective manually 2. Asking questions about auditor's findings detective manually 3. Evaluating any recommendations before they are presented to the board in the final reportType of Control What occurs if the control is working What audit How does the control How to test the What happens if the Audit Tests Needed Possible Risks Proposed Internal Control / Description Preventive/ Manual/ Frequency? properly and what standard(s) improve operating control? control is not working? audit standard effectiveness? Detective Automated apply? applies? Audit Tests Needed Identify the audit tests dentify the control objective and Note whether control is Identify whether the control activity is Indicate the Indicate whether the What outcomes occur | What outcomes occur if What Indicate how the control needed and related financial |description of procedures in place that is |preventive (i.e., acts performed manually (e.g., manual frequency in control is designed if the control works the control is not working applicable mproves operating statement risks (Existence or elevant to mitigate the identified risk of |before error, omission, authorization or review of a which the effectively (i.e., is the effectively? properly or is deficient? Statement of effectiveness. Occurrence, Completeness, material misstatement and achieve the or misstatement may econciliation), is automated (i.e., control takes control, individually Standards for Valuation, Rights and objective. Include a detailed description occur) or detective (acts system edit checks, system access place (e.g., or in combination Note: Design deficiency Attestation Obligations, Presentation of the control procedures noting the after error/misstatement |restrictions and authorizations, annual, with other controls, occurs when the control is Engagements and Disclosure, Accuracy, following: has occurred). automated review and approvals, etc.), quarterly, capable of effectively not effectively designed to | apply? Classification, Cutoff) that (1) Who performs the control or performed manually using system monthly, daily, mitigating the key meet its objective (e.g., the are applicable. procedures? generated information (i.e., physically every time a risk(s) of material control, individually or in 2) How is/are the procedure(s) verifying existence of inventory using transaction is misstatement and combination with other performed? system generated inventory report). [processed). achieving the control controls, is not capable of 3) How is the performance of the control objective?). effectively preventing or activity documented (i.e., what forms are detecting and correcting used)? material misstatements). 4) How is performance of the control activity evidenced (i.e., signature and date on form)? 1. Inquiry 2. Observation 3. Examination 4. Re-performance 5. Computer-assisted audit techniques CAAT)Type of Control What occurs if the How does the control How to test the control is working What audit What happens if the Errors Possible Risks Proposed Internal Control / Description Frequency? properly and what standard(s) improve operating Preventive/ Manual/ control? control is not working? audit standard apply? effectiveness? Detective Automated applies? Errors Identify any errors and the dentify the control objective and Note whether control is Identify whether the control activity is Indicate the Indicate whether the What outcomes occur | What outcomes occur if What Indicate how the control related financial statement description of procedures in place that is |preventive (i.e., acts performed manually (e.g., manual frequency in control is designed if the control works the control is not working applicable improves operating risks (Existence or relevant to mitigate the identified risk of before error, omission, authorization or review of a which the effectively (i.e., is the effectively? properly or is deficient? Statement of effectiveness Occurrence, Completeness, material misstatement and achieve the or misstatement may econciliation), is automated (i.e., control takes control, individually Standards for Valuation, Rights and objective. Include a detailed description [occur) or detective (acts system edit checks, system access place (e-g., or in combination Note: Design deficiency Attestation Obligations, Presentation of the control procedures noting the after error/misstatement restrictions and authorizations, annual, with other controls, occurs when the control is Engagements and Disclosure, Accuracy, following: has occurred). automated review and approvals, etc.), quarterly, capable of effectively not effectively designed to | apply? Classification, Cutoff) that 1) Who performs the control or performed manually using system monthly, daily, mitigating the key meet its objective (e.g., the are applicable. procedures? generated information (i.e., physically every time a risk(s) of material control, individually or in 2) How is/are the procedure(s) verifying existence of inventory using transaction is misstatement and combination with other performed? [system generated inventory report). [processed). achieving the control controls, is not capable of 3) How is the performance of the control objective?). effectively preventing or activity documented (i.e., what forms are detecting and correcting used)? material misstatements). 4) How is performance of the control activity evidenced (i.e., signature and date on form)? 1. Error of principle 2. Errors of commission 3. Errors of omission 4. Errors of duplication 5. Compensating errorsType of Control What occurs if the control is working What audit How does the control How to test the What happens if the Audit Strategies Possible Risks Proposed Internal Control / Description Preventive/ Manual/ Frequency? properly and what standard(s) improve operating control? control is not working? effectiveness? Detective Automated audit standard apply? applies? Audit Strategies Identify the audit strategies dentify the control objective and Note whether control is Identify whether the control activity is Indicate the Indicate whether the What outcomes occur | What outcomes occur if What Indicate how the control and related financial description of procedures in place that is | preventive (i.e., acts performed manually (e.g., manual frequency in control is designed if the control works the control is not working applicable mproves operating statement risks (Existence or relevant to mitigate the identified risk of |before error, omission, authorization or review of a which the effectively (i.e., is the effectively? properly or is deficient? Statement of effectiveness. Occurrence, Completeness, material misstatement and achieve the or misstatement may econciliation), is automated (i.e., control takes control, individually Standards for Valuation, Rights and objective. Include a detailed description [occur) or detective facts system edit checks, system access place (e.g., or in combination Note: Design deficiency Attestation Obligations, Presentation of the control procedures noting the after error/misstatement |restrictions and authorizations, annual, with other controls, occurs when the control is Engagements and Disclosure, Accuracy, following: has occurred). automated review and approvals, etc.), quarterly, capable of effectively not effectively designed to |apply? Classification, Cutoff) that 1) Who performs the control or performed manually using system monthly, daily, mitigating the key meet its objective (e.g., the are applicable. procedures? generated information (i.e., physically every time a risk(s) of material control, individually or in 2) How is/are the procedure(s) verifying existence of inventory using transaction is misstatement and combination with other performed? system generated inventory report). processed) achieving the control controls, is not capable of 3) How is the performance of the control objective?). effectively preventing or activity documented (i.e., what forms are detecting and correcting used)? material misstatements). 4) How is performance of the control activity evidenced (i.e., signature and date on form)? 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 4. Logical principles . RequirementsType of Control What occurs if the What audit How does the control How to test the control is working What happens if the Evidence Needed Possible Risks Proposed Internal Control / Description Preventive/ Manual/ Frequency? properly and what standard(s) improve operating control? control is not working? Detective Automated audit standard apply? effectiveness? applies? Evidence Needed Identify the evidence needed Identify the control objective and Note whether control is Identify whether the control activity is Indicate the Indicate whether the What outcomes occur | What outcomes occur if What Indicate how the control and related financial description of procedures in place that preventive (i.e., acts performed manually (e.g., manual frequency in control is designed if the control works the control is not working applicable improves operating statement risks (Existence or are relevant to mitigate the identified before error, omission, authorization or review of a which the effectively (i.e., is the effectively? properly or is deficient? Statement of effectiveness. Occurrence, Completeness, risk of material misstatement and or misstatement may reconciliation), is automated (i.e., control takes control, individually Standards for Valuation, Rights and achieve the objective. Include a detailed [occur) or detective (acts system edit checks, system access place (e.g., or in combination Note: Design deficiency Attestation Obligations, Presentation description of the control procedures after error/misstatement |restrictions and authorizations, annual, with other controls, occurs when the control is Engagements and Disclosure, Accuracy, noting the following has occurred). automated review and approvals, etc.), quarterly, capable of effectively not effectively designed to |apply? Classification, Cutoff) that 1) Who performs the control or performed manually using system monthly, daily, mitigating the key meet its objective (e.g., the are applicable. procedures? generated information (i.e., physically every time a isk(s) of material control, individually or in 2) How is/are the procedure(s) verifying existence of inventory using transaction is misstatement and combination with other performed? system generated inventory report). processed) achieving the control controls, is not capable of 3) How is the performance of the control objective?) effectively preventing or activity documented (i.e., what forms are detecting and correcting used)? material misstatements). 4) How is performance of the control activity evidenced (i.e., signature and date on form)? 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 1. Logical principles . Requirements