8.5 Flashcards
An auditor who decides not to rely on controls should
Document the further audit procedures performed.
The auditor performs further audit procedures in response to the assessed risks of material misstatement at the assertion level. The auditor should document the nature, timing, and extent of further audit procedures. Documentation is necessary even if the auditor emphasizes substantive procedures and does not use tests of controls. For example, (1) risk assessment procedures may not have identified any effective controls relevant to the assertion, or (2) testing controls might be inefficient (AU-C 330).
A client maintains a large data center where access is limited to authorized employees. How may an auditor best determine the effectiveness of this control activity?
Observe whether the data center is monitored.
Physically observing that the data center is being monitored provides direct evidence that the control is in place and is being utilized effectively. The auditor will be able to see, first hand, if the control is preventing unauthorized access.
After obtaining an understanding of internal control in a financial statement audit, an auditor has concluded that it is well designed and is operating effectively. Under these circumstances, the auditor would most likely
Not increase the extent of substantive procedures.
The auditor should obtain reasonable assurance about whether the financial statements are free from material misstatement to permit expression of an opinion on whether they are fairly presented. To obtain reasonable assurance, the auditor collects sufficient appropriate evidence to reduce audit risk to an acceptable level. For the given audit risk and the assessed inherent risk, a lower assessed control risk results in lower assessed risks of material misstatement and a higher acceptable detection risk. Detection risk relates to the nature, timing, and extent of audit procedures. For a higher acceptable detection risk, the less persuasive the audit evidence the auditor requires and the less need to increase the extent of substantive procedures (AU-C 200).
As the acceptable level of detection risk increases for a given audit risk, an auditor may change the
Timing of substantive procedures from year end to an interim date.
For a given audit risk, the acceptable detection risk (the auditor’s risk) is inversely related to the assessed RMMs (the entity’s risks) at the assertion level. Detection risk is the risk that audit procedures will not detect a material misstatement. It relates to the nature, timing, and extent of procedures performed to reduce audit risk to an acceptably low level. Thus, it depends on the effectiveness of audit procedures and their application by the auditor (AU-C 330). For example, as the acceptable level of detection risk for a given audit risk increases, the audit effort devoted to substantive procedures may be reduced. The auditor may change the nature, timing, or extent of substantive procedures, for example, by changing the timing to an interim date.
Which of the following is least likely to indicate the need to increase the assurance provided by substantive testing?
A decrease in the assessed inherent risk.
Substantive procedures are performed to detect material misstatements in management’s assertions. The nature, timing, and extent of substantive procedures are determined by the acceptable level of audit risk. For a given audit risk, the acceptable detection risk is inversely related to the assessed risks of material misstatement. The assessed RMMs are combined assessments of control risk and inherent risk. Thus, a decrease in the assessed inherent risk (1) decreases the assessed RMMs for a given assessed control risk, (2) increases the acceptable detection risk, and (3) does not indicate a need for more persuasive audit evidence (AU-C-200).
Which of the following types of evidence would an auditor most likely consider to determine whether internal controls are operating effectively?
A questionnaire completed by an employee in the receiving department concerning her duties and responsibilities.
Tests of controls are directed toward operating effectiveness. They include inquiries of entity personnel (e.g., a questionnaire completed by an employee in the receiving department); inspection of documents, reports, and electronic files indicating performance of the controls; observation of the application of the controls; and reperformance of the controls by the auditor.
An auditor most likely should test for the presence of unauthorized computer program changes by running a
Source code comparison program.
The best way to test for unauthorized computer program changes is to examine the program itself. By comparing a program under his or her control with the program used for operations, the auditor can determine whether unauthorized changes have been made.
An auditor of a nonissuer should design tests of details to ensure that sufficient audit evidence supports which of the following?
The planned level of assurance at the relevant assertion level.
Tests of details of transaction classes, account balances, and disclosures are substantive procedures. Some substantive procedures should be performed for all relevant assertions related to each material transaction class, balance, and disclosure. With respect to obtaining audit evidence, the auditor’s objective is to obtain sufficient appropriate evidence to be able to draw reasonable conclusions as a basis for an opinion on whether statements are materially misstated. To design and perform further audit procedures (substantive procedures and tests of controls), the auditor assesses the risks of material misstatement at the financial statement and relevant assertion levels.
In an environment that is highly automated, an auditor determines that it is not possible to obtain sufficient appropriate audit evidence solely by performing substantive procedures on transactions. Under these circumstances, the auditor most likely would
Perform tests of controls.
For some RMMs, the auditor may determine that it is not feasible to obtain sufficient appropriate audit evidence only from substantive procedures. These RMMs may relate to routine, significant transactions subject to highly automated processing with no documentation except what is recorded in the IT system. In such circumstances, the controls over the RMMs are relevant to the audit. Thus, the auditor should obtain an understanding of, and test, the controls.
An auditor uses the assessed risks of material misstatement to
Determine the acceptable level of detection risk for financial statement assertions.
For a given audit risk, the acceptable detection risk (the auditor’s risk) is inversely related to the assessed RMMs (the entity’s risks) at the assertion level. Detection risk is the risk that audit procedures will not detect a material misstatement. It relates to the nature, timing, and extent of procedures performed to reduce audit risk to an acceptably low level. Thus, it depends on the effectiveness of audit procedures and their application by the auditor (AU-C 330).
When numerous property and equipment transactions occur during the year, an auditor who assesses the risks of material misstatement at a low level usually performs
Tests of controls and limited tests of current-year property and equipment transactions.
The auditor usually performs tests of controls and substantive procedures (the combined audit approach). The auditor must make decisions about the nature, timing, and extent of substantive procedures that are most responsive to the assessment of the RMMs. These decisions are affected by whether the auditor has tested controls. Thus, the extent of relevant substantive procedures may be reduced when control is found to be effective.
If interim substantive procedures for an account identified no exceptions, which of the following would the auditor not perform on that account at year end?
Tests of details for the entire year under audit.
Substantive procedures may be performed at an interim date. The auditor then should cover the remaining period by performing substantive procedures combined with tests of controls to provide a reasonable basis for extending conclusions. (But the auditor may determine that performing only substantive procedures suffices.) If unexpected misstatements are detected at the interim date, the auditor may conclude that the planned substantive procedures for the remaining period need to be modified. Modification may include extending or repeating at period end the procedures performed at the interim date. Accordingly, if no misstatements (exceptions) for an account are identified at the interim date, the auditor does not perform substantive procedures (tests of details) on the account at period end for the entire year under audit. Thus, the auditor does not repeat procedures performed at the interim date.
While performing interim audit procedures on accounts receivable, numerous unexpected errors are found resulting in a change of risk assessment. Which of the following audit responses would be most appropriate?
Use more experienced audit team members to perform year-end testing.
The higher the risk assessment, the more persuasive the audit evidence should be. Audit evidence should be sufficient and appropriate. Sufficiency relates to quantity and appropriateness to relevance and reliability. To obtain more persuasive evidence, the auditor may increase its quantity or obtain evidence that is more relevant or reliable. The higher the risk assessment, the more likely that performing substantive procedures at or near to period-end is more effective (results in more reliable evidence) than performing them at an interim date. Moreover, assigning more experienced audit team members may result in obtaining more reliable evidence because of their greater competence. Using more experienced audit team members is an example of an overall response to the risk assessment.
When an auditor increases the assessment of the risks of material misstatement because certain controls were determined to be ineffective, the auditor will most likely increase the
Extent of test of details.
An auditor should obtain an understanding of internal control to assess the RMMs. The greater (lower) the assessment of the RMMs, the lower (greater) the acceptable detection risk for a given level of audit risk. In turn, the acceptable audit risk affects substantive testing. For example, as the acceptable audit risk decreases, the auditor changes the nature, timing, or extent of substantive procedures to increase the reliability and relevance of the evidence they provide.
To obtain evidence that online access controls are properly functioning, an auditor most likely will
Enter invalid identification numbers or passwords to ascertain whether the system rejects them.
Employees with access authority to process transactions that change records should not also have asset custody or program modification responsibilities. The auditor should determine that password authority is consistent with other assigned responsibilities. The auditor can directly test whether password controls are working by attempting entry into the system by using invalid identifications and passwords.
