The CPA firm of Penmen Associates is planning to take over the audit of the financial statements of Keystone Enterprises. As a senior auditor for the firm, you have been tasked with evaluating Keystone, using GAAS, best practices and risk assessment techniques to identify the objectives and scope of the audit for this client. After completion, Penmen Associates has asked you to prepare for the audit. You will gain an understanding of Keystone's internal control structure, financial accounts, business environment, materiality, and any inherent risks that may impact the company. You will also review external and other factors.

Directions

A working paper is an informational report prepared by accountants and auditors as supporting documents for formal reports and financial statements. Note that rubric criterion #1 below references the risk assessment completed in Milestone One. If you did not complete Milestone One, you will need to complete the risk assessment portion in order to satisfy this criterion.

Specifically, you must address the following rubric criteria:

Using the Keystone financial data and the AS 2110 standard provided in the Supporting Materials section, perform an analysis of the company data.

1. Describe the next steps in the audit based on the risk assessment. Consider the following:
   1. How do the internal and external risk factors inform the audit to be performed?
2. Determine the audit tests needed through financial data analysis. Include the following:
   1. What tests are needed?
   2. What issues were found warranting the need for selected tests?
3. Analyze audit evidence for errors from financial data. Include the following:
   1. Found errors
   2. Impact of errors on the external audit
   3. Explanation of possible errors from financial data
4. Describe how these audit strategies support the client profile and risk areas.
5. Determine evidence needed for substantive testing and risk assessment based on audit findings. Consider the following:
6. What other sample reports or materials need to be requested to fulfil this audit?

Refer to the following statements for this assignment: 0O6and.0/ 09and.10 15 18and.19 23and .24 28 39 ALL baUu A 11U dTandard Identifying and Assessing Risks of Material Misstatement This standard establishes requirements regarding the process of identifying and assessing risks of material misstatement of financial statements. Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company's industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors. This standard discusses the following risk assessment procedures: .06 In an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. The auditor's risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements. Obtaining an Understanding of the Company and Its Environment .07 The auditor should obtain an understanding of the company and its environment ("understanding of the company\") to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining an understanding of the company includes understanding: a. Relevant industry, regulatory, and other external factors. b. The nature of the company. c. The company''s selection and application of accounting principles, including related disclosures. d. The company's objectives and strategies and those related business risks that might reasonably be expected to result in risks of material misstatement; and e. The company's measurement and analysis of its financial performance. Industry, Regulatory, and Other External Factors .09 Obtaining an understanding of the relevant industry, regulatory, and other external factors encompass industry factors, including the competitive environment and technological developments; the regulatory environment, including the applicable financial reporting framework and the legal and political environment; and external factors, including general economic conditions. Nature of the Company .10 Obtaining an understanding of the nature of the company includes understanding: * The company's organizational structure and management personnel. The sources of funding for the company's operations and investment activities, including the company's capital structure, noncapital funding (e.g., subordinated debt or dependencies on supplier financing), and other debt instruments. * The company's significant investments, including equity method investments, joint ventures, and variable interest entities. The company's operating characteristics, including its size and complexity. Note: The size and complexity of a company might affect the risks of misstatement and how the company addresses those risks. The sources of the company's earnings, including the relative profitability of key products and services; and Key supplier and customer relationships. Company Objectives, Strategies, and Related Business Risks Note: Some relevant business risks might be identified through other risk assessment procedures, such as obtaining an understanding of the nature of the company and understanding industry, regulatory, and other external factors. 15 The following are examples of situations in which business risks might result in a material misstatement of the financial statements: Industry developments (a potential related business risk might be, e.g., that the company does not have the personnel or expertise to deal with the changes in the industry.) New products and services (a potential related business risk might be, e_g., that the new product or service will not be successful.) Use of information technology (\"IT") (a potential related business risk might be, e.g., that systems and processes are incompatible.) New accounting requirements (a potential related business risk might be, e.g., incomplete, or improper implementation of a new accounting requirement.) Expansion of the business (a potential related business risk might be, e.g., that the demand for the company's products or services has not been accurately estimated.) * The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements (a potential related business risk might be, e.g., incomplete, or improper implementation of the strategy.) Obtaining an Understanding of Internal Control Over Financial Reporting 18 The auditor should obtain a sufficient understanding of each component of internal control over financial reporting ("understanding of internal control\") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. 19 The nature, timing, and extent of procedures that are necessary to obtain an understanding of internal control depend on the size and complexity of the company; the auditor's existing knowledge of the company's internal control over financial reporting; the nature of the company's controls, including the company's use of IT; the nature and extent of changes in systems and operations; and the nature of the company's documentation of its internal control over financial reporting. Procedures the auditor performs to obtain evidence about design effectiveness include inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs, as described in paragraphs .37-.38, that include these procedures ordinarily are sufficient to evaluate design effectiveness. Note: Determining whether a control has been implemented means determining whether the control exists and whether the company is using it. The procedures to determine whether a control has been implemented may be performed in connection with the evaluation of its design. Procedures performed to determine whether a control has been implemented include inquiry of appropriate personnel, in combination with observation of the application of controls or inspection of documentation. Control Environment 23 The auditor should obtain an understanding of the company's control environment, including the policies and actions of management, the board, and the audit committee concerning the company's control environment. .24 Obtaining an understanding of the control environment includes assessing: * Whether management's philosophy and operating style promote effective internal control over financial reporting. Whether sound integrity and ethical values, particularly of top management, are developed and understood; and * Whether the board or audit committee understands and exercises oversight responsibility over financial reporting and internal control. The Company's Risk Assessment Process Obtaining an understanding of the company's risk assessment process includes obtaining an understanding of the risks of material misstatement identified and assessed by management and the actions taken to address those risks. Information and Communication .28 Information System Relevant to Financial Reporting. The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including: f. The classes of transactions in the company's operations are significant to the financial staternents. g- The procedures, within both automated and manual systems, by which those transactions are initiated, authorized, processed, recorded, and reported. h. The related accounting records, supporting information, and specific accounts in the financial statements that are used to initiate, authorize, process, and record transactions. i. How the information system captures events and conditions, other than transactions, that are significant to financial statements. j- Whether the related accounts involve accounting estimates and if so, the processes used to develop accounting estimates, including: o The methods used may include models. o The data and assumptions used, including the source from which they are derived; and o The extent to which the company uses third parties (other than specialists), including the nature of the service provided and the extent to which the third parties use company data and assumptions; and k. The period-end financial reporting process. The auditor also should obtain an understanding of how IT affects the company's flow of transactions. The identification of risks and controls within IT is not a separate evaluation. Instead, it is an integral part of the approach used to identify significant accounts and disclosures and their relevant assertions and, when applicable, to select the controls to test, as well as to assess risk and allocate audit effort. Control Activities The auditor should obtain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement and to design further audit procedures, as described in paragraph .18 of this standard. As the auditor obtains an understanding of the other components of internal control over financial reporting, he or she is also likely to obtain knowledge about some control activities. The auditor should use his or her knowledge about the presence or absence of control activities obtained from the understanding of the other components of internal control over financial reporting in determining the extent to which it is necessary to devote additional attention to obtaining an understanding of control activities to assess the factors that affect the risks of material misstatement and to design further audit procedures. Note: A broader understanding of control activities is needed for relevant assertions for which the auditor plans to rely on controls. Also, in the audit of internal control over financial reporting, the auditor's understanding of control activities encompasses a broader range of accounts and disclosures than what is normally obtained in a financial statement audit. Monitoring of Controls The auditor should obtain an understanding of the major types of activities that the company uses to monitor the effectiveness of its internal control over financial reporting and how the company initiates corrective actions related to its controls. An understanding of the company's monitoring activities includes understanding the source of the information used in the monitoring activities. Performing Walkthroughs As discussed in paragraph .20, the auditor may perform walkthroughs as part of obtaining an understanding of internal control over financial reporting. For example, the auditor may perform walkthroughs in connection with understanding the flow of transactions in the information system relevant to financial reporting, evaluating the design of controls relevant to the audit, and determining whether those controls have been implemented. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and IT that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, an inspection of relevant documentation, and re-performance of controls. Relationship of Understanding of Internal Control to Tests of Controls 39 The objective of obtaining an understanding of internal control, as discussed in paragraph .18 of this standard, is different from testing controls for the purpose of assessing control risk or for the purpose of expressing an opinion on internal control over financial reporting in the audit of internal control over financial reporting. The auditor may obtain an understanding of internal control concurrently with performing tests of controls if he or she obtains sufficient appropriate evidence to achieve the objectives of both procedures. Also, the auditor should consider the evidence obtained from understanding internal control when assessing control risk and, in the audit of internal control aver Keystone Consolidated Statement of Income For the year ended For the year ended December 31, 2025 December 31, 2024 Revenues $ 364,953,846 S 345,965,385 Costs and expenses: Cost of sales 222,496,154 207,838,462 Selling and administrative 104,450,000 100,246,154 Interest expense 1,257,692 1,730,769 Other (income)/expense, net 1,311,539 796,154 Total costs and expenses 329,515,385 310,611,539 Income before income taxes 35,438,461 35,353,846 Income taxes 12,757,692 13,080,769 Net income S 22,680,769 22,273,077Keystone Consolidated Balance Sheet ASSETS December 31, 2025 December 31, 2024 Current assets: Cash and cash equivalents 11,692,308 9,780,769 Accounts receivable, less allowance for doubtful accounts of $2,773,077 and $2,515,385 62,361,538 60,361,539 Trading securities (Inventory) 54,773,077 55,615,385 Investments (Derivatives) 14,460,577 14,852,885 Deferred income taxes 3,357,692 3,288,461 Prepaid expenses and other current assets 5,250,000 7,276,923 Total current assets 151,895,192 151,175,962 Property and equipment, net 62,261,539 60,900,000 Identifiable intangible assets and goodwill, net 3,820,192 3,950,961 Deferred income taxes and other assets 5,853,846 ,238,462 Total assets 223,830,769 225,265,385 LIABILITIES AND SHAREHOLDERS' EQUITY Current liabilities: Current portion of long-term debt 207,692 1,926,923 Notes payable 28,896,154 85,546,154 Accounts payable 20,615,385 20,915,385 Accrued liabilities 18,157,692 23,336,581 Income taxes payable 342,308 582,650 Total current liabilities 68,719,231 82,307,693 Long-term debt 16,765,384 18,088,462 Deferred income taxes and other liabilities 3,942,308 4,253,846 Shareholders' equity Common stock at par value 107,692 107,692 Capital in excess of par value 17,669,231 14,192,308 Unearned stock compensation (380,769) (450,000) Accumulated other comprehensive income 5,850,000) 14,273,077 Retaining earnings 122,857,692 111,038,461 Total shareholders' equity 134,403,846 120,615,384 Total liabilities and shareholders' equity 223,830,769 $ 225,265,385Keystone Condensed Cash Flow Statement For the year ended December 31, 2025 December 31, 2024 Cash provided by operations 25,250,000 26,907,692 Cash used by investing activities (13,165,385) (16,923,077) Cash used by financing activities (13,457,692) (9,696,154) Effect of exchange rate changes on cash 3,284,616 1,873,077 Met increase in cash and cash equivalents S 1,911,539 | 5 2,161,538 Cash and cash eguivalents, beginning of year 9,780,769 7,619,231 Cash and cash equivalents, end of year 5 11,692,308 | S 9,780,769 *Includes dividends paid of 54,988,462 in 2025 and 55,119,231 in 2024 Liquidity Ratios Current ratio = CA/CL Acid-test {quick) ratio = Liquid assets/CL Inventory turnover in days Receivables turnover in days Payables turnover in days Gross operating cycle MNet operating cycle Keystone 2025 151,895192=221 [151,175962-1.84 6871931 [82,307,693 11,692,308+62,361,538=1.08 |9,780,769+60,361,539 = 0.85 82,307,693 222,496,154 = 90.6 days 365 +207,828,462 = 97.6 days {54,773,077+55,615,385)/2 55,615,385 364,953,846 = 61.3 days 365 + 345,965,385 = 63.7 days 60,361,539 365 + 222,496,154 = 34.1 days 365 + 207,838,462 = 36.8 days {20,615,385+20,915,385)/2 20,915,385 61.3 +90.6 = 151.9 days 63.7+97.6 =161.3 days Solvency ratios Debt to equity Times interest earned Profitability ratios 151.934.1=117.8 days 161.3 36.8 = 124.5 days 89,426,923=66.5% |104,650,001=86.7% 120,615,384 35.438,461+1,57,692=29.2 35,353,846 41,730,769 = 21.4 1,730,763 Gross profit margin Profit margin Return on assets Return on stockholders' equity 364,953,846-222, 496,154 = 39.0% 345,965,385-207,838,462 = 39.9% 364,953,346 345,965,385 22,680,769 =6.2% 22,273,077 = 6.4% 364,953,346 345,965,385 22,680,769 = 10.1% 22,273,077 =9.9% (223,830,769+225,265,385)/2 ,265, 22,680,769 =17.7% 22,273,077 =18.5% 134,403,846+120,615,384)/2 120,615,384 & Pd & & Client Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of next steps]. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness Type of Control the control is working What happens if the What audit | How does the control How to test the Next Steps Possible Risks Proposed Internal Control / Frequency? properly and control is not standard[s) improve operating Description Preventive/ Manual/ control? what audit working? apply? effectiveness? Detective Automated standard Identify the control objective and Note whether control | Identity whether the control Indicate the Indicate whether What outcomes What outcomes occur What Indicate how the Next Steps Identify the next steps and related financial description of procedures in place is preventive (i.e., activity is performed manually frequency in the control is occur if the f the control is not applicable control improves statement risks that is relevant to mitigate the acts before error, e.g., manual authorization or which the designed control works working properly or is Statement of operating Existence or identified risk of material omission, or review of a reconciliation), is control takes effectively (i.e., is |effectively? deficient? Standards for effectiveness. Occurrence, misstatement and achieve the misstatement may automated fi.e., system edit place (e.g., the control, Attestation Completeness, Valuation, objective. Include a detailed occur) or detective checks, system access annual, individually or in Note: Design Engagements Rights and Obligations, description of the control facts after restrictions and authorizations, quarterly, combination with deficiency occurs apply? Presentation and procedures noting the following: error/misstatement automated review and approvals, monthly, other controls, when the control is Disclosure, Accuracy, 1) Who performs the control has occurred). etc.), or performed manually using daily, every capable of not effectively Classification, Cutoff) procedures? system generated information (i.e., | time a effectively designed to meet its that are applicable. 2) How is/are the procedure(5) physically verifying existence of transaction is mitigating the key objective (e.g., the performed? inventory using system generated [processed). risk(s) of material control, individually or 3) How is the performance of the inventory report). misstatement and in combination with control activity documented fie. achieving the other controls, is not what forms are used)? control capable of effectively 4) How is performance of the objective?). preventing or control activity evidenced file detecting and 1. Reviewing the draft audit report 2. Asking questions about auditor's findings 3. Evaluating any recommendations before they are presented to the board in the final reportClient Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of audit tests needed]. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness Type of Control What occurs if the What audit How does the control Proposed Internal Control / How to test the control is working What happens if the Audit Tests Needed Possible Risks Description Preventive/ properly and what improve operating Manual/ Frequency? standard(s) control? audit standard control is not working apply? effectiveness? Detective Automated applies? Audit Tests Needed Identify the audit tests Identify the control objective and Note whether control |Identify whether the control Indicate the Indicate whether What outcomes What outcomes occur What Indicate how the control needed and related description of procedures in place is preventive (i.e., acts |activity is performed manually frequency in the control is occur if the control | if the control is not applicable improves operating financial statement risks that is relevant to mitigate the before error, e.g., manual authorization or which the designed works effectively? working properly or is Statement of effectiveness. Existence or Occurrence, identified risk of material omission, or review of a reconciliation), is control takes effectively (i.e., is deficient? Standards for Completeness, Valuation, misstatement and achieve the misstatement may automated (i.e., system edit checks, place (e.g., the control Attestation Rights and Obligations, objective. Include a detailed occur) or detective system access restrictions and annual, ndividually or in Note: Design deficiency |Engagements Presentation and description of the control acts after authorizations, automated review quarterly, combination with occurs when the apply? Disclosure, Accuracy, procedures noting the following: error/misstatement and approvals, etc.), or performed monthly, other controls, control is not Classification, Cutoff 1) Who performs the control has occurred). manually using system generated daily, every capable of effectively designed to that are applicable. procedures? information (i.e., physically time a effectively meet its objective (e.g., 2) How is/are the procedure(s) verifying existence of inventory transaction is mitigating the key the control, performed? using system generated inventory processed). risk(s) of material individually or in 3) How is the performance of the report). misstatement and combination with control activity documented (i.e., achieving the other controls, is not what forms are used)? control capable of effectively 4) How is performance of the control objective?). preventing or 1. Inquiry 2. Observation 3. Examination 4. Re-performance 5. Computer-assisted audit techniques (CAAT)Client Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of errors. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness. Type of Control What occurs if the control is working What audit How does the control Proposed Internal Control / How to test the What happens if the Errors Possible Risks Preventive/ Manual/ Frequency? properly and what standard(s) improve operating Description control? control is not working? effectiveness? Detective Automated audit standard apply? applies? Errors Identify any errors and Identify the control objective and Note whether control Identify whether the control Indicate the Indicate whether What outcomes What outcomes occur What Indicate how the contro the related financial description of procedures in place is preventive (i.e., acts activity is performed manually frequency in the control is occur if the control | if the control is not applicable improves operating statement risks (Existence that is relevant to mitigate the before error, e.g., manual authorization or which the designed works effectively? working properly or is Statement of effectiveness. or Occurrence, identified risk of material omission, or eview of a reconciliation), is control takes effectively (i.e., is deficient? Standards for Completeness, Valuation, misstatement and achieve the misstatement may automated (i.e., system edit checks, place (e-g., the control, Attestation Rights and Obligations, objective. Include a detailed occur) or detective system access restrictions and annual, individually or in Note: Design deficiency Engagements Presentation and description of the control acts after authorizations, automated review quarterly, combination with occurs when the apply? Disclosure, Accuracy, procedures noting the following: error/misstatement and approvals, etc.), or performed monthly, other controls, control is not Classification, Cutoff) 1) Who performs the control has occurred). manually using system generated daily, every capable of effectively designed to that are applicable. procedures? information (i.e., physically time a effectively meet its objective (e.9., 2) How is/are the procedure(s) verifying existence of inventory transaction is mitigating the key the control performed? using system generated inventory processed). risk(s) of material individually or in 3) How is the performance of the report). misstatement and combination with control activity documented (i.e., achieving the other controls, is not what forms are used)? control capable of effectively 4) How is performance of the control objective?). preventing or activity evidenced (i.e., signature detecting and and date on form)? correcting material 1. Error of principle 2. Errors of commission 3. Errors of omission 4. Errors of duplication 5. Compensating errorsClient Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of audit strategies. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness. Type of Control What occurs if the control is working What audit How does the control Proposed Internal Control / How to test the What happens if the Audit Strategies Possible Risks standard[s) improve operating Description Preventive/ Manual/ Frequency? properly and what control? control is not working? audit standard apply? effectiveness? Detective Automated applies? Audit Strategies Identify the audit Identify the control objective and Note whether control |Identify whether the control Indicate the Indicate whether What outcomes What outcomes occur What Indicate how the control strategies and related description of procedures in place is preventive (i.e., acts activity is performed manually frequency in the control is occur if the control if the control is not applicable improves operating financial statement risks that is relevant to mitigate the before error, e.g., manual authorization or which the designed works effectively? working properly or is Statement of effectiveness. (Existence or Occurrence, identified risk of material omission, or review of a reconciliation), is control takes effectively (i.e., is deficient? Standards for Completeness, Valuation, misstatement and achieve the misstatement may automated (i.e., system edit checks, place (e.g., the control, Attestation Rights and Obligations, objective. Include a detailed occur) or detective system access restrictions and annual, individually or in Note: Design deficiency | Engagements Presentation and description of the control facts after authorizations, automated review quarterly, combination with occurs when the apply? Disclosure, Accuracy, procedures noting the following: error/misstatement and approvals, etc.), or performed monthly, other controls, control is not Classification, Cutoff 1) Who performs the control has occurred). manually using system generated daily, every capable of effectively designed to that are applicable. procedures? information (i.e., physically time a effectively meet its objective (e-9-, 2) How is/are the procedure(s) verifying existence of inventory transaction is mitigating the key the control, performed? using system generated inventory processed risk(s) of material individually or in 3) How is the performance of the report). misstatement and combination with control activity documented (i.e., achieving the other controls, is not what forms are used) control capable of effectively 4) How is performance of the control objective?). preventing or 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 4. Logical principles 5. RequirementsClient Name Working Paper # Working Paper Title Preparer/Date Balance Sheet Date Reviewer/Date: Objective To document the auditor's assessment of evidence needed. To map each of the questions with the possible risks and proposed control objective/description. To document the type of control and the frequency in which it is applied, as well as the assessment of each relevant control's design and implementation. To capture descriptions of any additional SSAE identified and noted impact to operating effectiveness. Type of Control What occurs if the control is working What audit How does the control Proposed Internal Control / How to test the What happens if the standard[s) improve operating Evidence Needed Possible Risks Description Preventive/ Manual/ Frequency? properly and what control? control is not working? audit standard apply? effectiveness? Detective Automated applies? Evidence Needed Identify the evidence Identify the control objective and Vote whether control Identify whether the control Indicate the Indicate whether What outcomes What outcomes occur What ndicate how the contro needed and related description of procedures in place is preventive (i.e., acts | activity is performed manually frequency in the control is occur if the control if the control is not applicable improves operating financial statement risks that are relevant to mitigate the before error, fe.g., manual authorization or which the designed works effectively? working properly or is Statement of effectiveness. (Existence or Occurrence, dentified risk of material omission, or review of a reconciliation), is control takes effectively (i.e., is deficient? Standards for Completeness, Valuation, misstatement and achieve the misstatement may automated (i.e., system edit checks, place (e.g., the control Attestation Rights and Obligations, objective. Include a detailed occur) or detective system access restrictions and annual individually or in Note: Design deficiency | Engagements Presentation and description of the control acts after authorizations, automated review quarterly, combination with occurs when the apply? Disclosure, Accuracy, procedures noting the following: error/misstatement and approvals, etc.), or performed monthly, other controls, control is not Classification, Cutoff 1) Who performs the control has occurred). manually using system generated daily, every capable of effectively designed to that are applicable. procedures? information (i.e., physically time a effectively meet its objective (e-g., 2) How is/are the procedure(s) verifying existence of inventory transaction is mitigating the key the control, performed? using system generated inventory processed). risk(s) of material individually or in 3) How is the performance of the report). misstatement and combination with control activity documented (i.e., achieving the other controls, is not what forms are used)? control capable of effectively 4) How is performance of the control objective?). preventing or 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 4. Logical principles 5. Requirements