9.3 Flashcards
An auditor’s communication with those charged with governance is required to include the
Discussion of disagreements with management about matters that significantly affect the entity’s financial statements.
Disagreements with management may concern application of accounting principles, judgments about estimates, the scope of the audit, disclosures in the statements, and the audit report. The auditor should discuss these disagreements with those charged with governance, whether or not they were satisfactorily resolved, if their subject matter could be significant to the statements or the audit report (AU-C 260).
A report on an issuer’s integrated audit must include each of the following statements, except
The audit was conducted in accordance with AICPA standards.
The AICPA standards provide guidance for the audits of nonissuers (nonpublic entities) that may request to have an opinion expressed on the effectiveness of ICFR.
Which of the following disagreements between the auditor and management do not have to be communicated by the auditor to those charged with governance?
Disagreements of the amount of the LIFO inventory layer based on preliminary information.
Auditor disagreements with management about significant matters, whether or not satisfactorily resolved, should be communicated to those charged with governance. However, disagreements do not include differences of opinion based on preliminary information or incomplete facts that are later resolved.
Which of the following is true regarding significant deficiencies and material weaknesses in control for a nonissuer?
Auditors should communicate them to management and those charged with governance.
The auditor should report certain control deficiencies in internal control observed during an audit. The communication is expected to be to management and those charged with governance. The auditor should report in writing significant deficiencies and material weaknesses in the design or operation of internal controls. The communication also should include an explanation of the potential effects of each significant deficiency and material weakness and sufficient information about the context of the communication.
Which of the following statements about significant deficiencies and material weaknesses in internal control is true for an audit of a nonissuer?
An auditor may communicate significant deficiencies and material weaknesses during an audit or after the audit’s completion.
When early communication is important, the auditor may communicate significant matters orally during an audit. However, significant deficiencies and material weaknesses are best communicated by the audit report release date. But they are required to be made no later than 60 days after the report release date.
A client uses a service organization to process its payroll. Which of the following statements is correct regarding the user auditor’s use of the service auditor’s report on internal controls placed in operation?
The client’s auditor can use the service auditor’s report as audit evidence for the client’s internal controls.
If the user auditor is unable to obtain a sufficient understanding of the controls from the user entity, the user auditor may use a service auditor’s report to obtain the understanding and determine whether the controls have been placed in operation.
In an audit of internal control over financial reporting, which deficiencies in control should be communicated in writing to those charged with governance?
Both material weaknesses and significant deficiencies.
The auditor should communicate, in writing, to management and to those charged with governance all material weaknesses and significant deficiencies identified during the audit. The written communication should be made prior to the report release date. The auditor also should communicate to management, in writing, all lesser deficiencies in internal control and inform those charged with governance when such a communication has been made.
When an auditor is to conduct an audit of a service organization, what considerations should the auditor make in the planning stages regarding internal controls of the organization?
The auditor should determine whether management has adequately described complementary user controls.
The service auditor should obtain an understanding of the service organization’s system, including controls within the scope of the engagement. Understanding controls at the service organization requires evaluating management’s description of the service organization’s system, including complementary user entity controls (AT-C 320).
The AICPA has issued additional guidance on service auditor reports. The term System and Organization Controls (SOC) report is used in this guidance. The reports obtained by the user auditor in an audit are called SOC 1 reports (type 1 or type 2). Service auditors also may prepare SOC 2 and SOC 3 reports to provide assurance on more than internal controls over financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). SOC 2 reports are to be used by those identified in the report, and SOC 3 reports may be used by any user.
Which of the following matters is an auditor not required to communicate to an entity’s audit committee?
The degree of reliance the auditor placed on the management representation letter.
Management representations are audit evidence but do not substitute for necessary auditing procedures. The auditor should use professional judgment in determining the reliability of management representations. However, (s)he need not communicate this judgment to those charged with governance.
When communicating significant deficiencies in internal control noted in a financial statement audit of a nonissuer, the communication should indicate that
The purpose of the audit was to report on the financial statements, not to provide assurance on internal control.
According to an illustrative written communication in AU-C 265, the auditors state, “we considered the Company’s internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control. Accordingly, we do not express an opinion on the effectiveness of the Company’s internal control.”
During planning, an auditor of a nonissuer should communicate which of the following to those charged with governance at an entity?
The audit does not relieve management of its responsibilities for the financial statements.
Effective two-way communication, among other things, assists those charged with governance to fulfill their responsibility to oversee the financial reporting process. The result should be reduced risk of material misstatement. Communications with management should address its responsibility for the preparation and fair presentation of the financial statements.
Which of the following statements is true about an auditor’s communication to those charged with governance?
The auditor is required to inform those charged with governance about misstatements discovered by the auditor and not subsequently corrected by management.
The matters to be communicated to those charged with governance include uncorrected misstatements, other than those not accumulated by the auditor because they are clearly trivial. The auditor communicates uncorrected misstatements and the effect they may have, individually or aggregated, on the opinion. Furthermore, material uncorrected misstatements should be identified individually. Also, the auditor should communicate to those charged with governance the effect of uncorrected misstatements related to prior periods (AU-C 260).
Payroll Data Co. (PDC) processes payroll transactions for a retailer. Cook, CPA, is engaged to issue a report on PDC’s internal controls implemented as of a specific date. These controls are relevant to the retailer’s internal control, so Cook’s report may be useful in providing the retailer’s independent auditor with information necessary to plan a financial statement audit. Cook’s report should
Contain a disclaimer of opinion on the operating effectiveness of PDC’s controls.
Service auditors may report (1) on the fairness of management’s description of the controls and whether the controls have been implemented and are suitably designed (type 1 report) or (2) additionally on operating effectiveness (type 2 report). The type 1 report should include a disclaimer of opinion related to operating effectiveness of the controls.
The AICPA has issued additional guidance on service auditor reports. The term System and Organization Controls (SOC) report is used in this guidance. The reports obtained by the user auditor in an audit are called SOC 1 reports (type 1 or type 2). Service auditors also may prepare SOC 2 and SOC 3 reports to provide assurance on more than internal controls over financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). SOC 2 reports are to be used by those identified in the report, and SOC 3 reports may be used by any user.
If an auditor performing an integrated audit identifies one or more material weaknesses in a nonissuer’s internal control, the auditor should
Express an adverse opinion on the entity’s internal control.
Material weaknesses are significant control deficiencies that result in more than a remote chance that a material misstatement will result in the financial statements. A material weakness requires the auditor to express an adverse opinion on the effectiveness of internal control.
Which of the following best describes the responsibility of an auditor of a private entity with respect to significant deficiencies and material weaknesses under AU-C 265, Communication of Internal Control Related Matters Identified in an Audit?
The communication by the auditor must be in writing.
The auditor communicates on a timely basis and in writing to those charged with governance significant deficiencies and material weaknesses identified during the audit. This communication includes those remediated during the audit. The auditor also communicates on a timely basis and in writing to the appropriate level of management significant deficiencies and material weaknesses communicated (or intended to be communicated) to those charged with governance. (But certain deficiencies should not be reported directly to management.)
