9.4 Flashcards
When the regular audit leading to an opinion on financial statements discloses specific circumstances that create suspicion that fraud may exist, and the auditor concludes that the results of such fraud, if any, could not be so material as to affect the opinion, (s)he should
Refer the matter to the appropriate representatives of the client with the recommendation that it be pursued to a conclusion.
The auditor should refer the matter of an immaterial fraud to an appropriate level of management. The appropriate level of management is at least one level above the highest level involved. The auditor should also be satisfied that, in view of the organizational position of the likely perpetrator, the fraud has no implications for other aspects of the audit or that those implications have been adequately considered (AU-C 240).
Which of the following procedures should a user auditor include in the audit plan to create the most efficient audit when an audit client uses a service organization for several processes?
Review the service auditor’s type 1 report.
The user auditor should obtain a sufficient understanding of the services provided and their effect on the user entity’s internal control relevant to the audit. The understanding should provide a basis for assessing the risks of material misstatement. If a sufficient understanding cannot be obtained from the user entity, the user auditor should obtain it from other procedures. For example, the auditor may obtain and read a type 1 report or a type 2 report. A type 1 report expresses an opinion on (1) the fair presentation of management’s description of the service organization’s system and (2) whether the controls are suitably designed at the specified date. Suitable design means the controls can attain the control objectives if they operate effectively. A type 2 report expresses not only the type 1 opinions but also an opinion on whether the controls were operating effectively (meeting the control objectives). Type 2 opinions relate to design and effectiveness throughout the period rather than at a specific date (AT-C 320 and AU-C 402).
The AICPA has issued additional guidance on service auditor reports. The term System and Organization Controls (SOC) report is used in this guidance. The reports obtained by the user auditor in an audit are called SOC 1 reports (type 1 or type 2). Service auditors also may prepare SOC 2 and SOC 3 reports to provide assurance on more than internal controls over financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). SOC 2 reports are to be used by those identified in the report, and SOC 3 reports may be used by any user.
Under the AICPA’s auditing standards, which of the following statements about an auditor’s communication of significant control deficiencies is true?
An auditor’s report on significant control deficiencies should include a restriction on the use of the report.
A communication of significant control deficiencies should (1) state that the purpose of the audit was to report on the financial statements, not to provide assurance on internal control; (2) give the definition of significant control deficiencies and material weaknesses; and (3) state that the report is intended solely for the information and use of those charged with governance, management, and others within the organization (or specified regulatory agency) and is not intended to be, and should not be, used by anyone other than the specified parties.
When reporting to the audit committee on conditions relating to an entity’s internal control observed during an audit of a nonissuer’s financial statements, the auditor should include a
Restriction on the use of the report.
The report is a by-product of the engagement. It is intended solely for the information and use of those charged with governance, management, and others within the organization (or specified regulatory agency) and is not intended to be and should not be used by anyone other than these specified parties (AU-C 905). But law or regulation may require the report to be given to governmental authorities. For issuers, the auditor must express an opinion on whether the client maintained, in all material respects, effective internal control over financial reporting. This report is not restricted as to use.
During the planning phase of an audit, an auditor is identifying matters for communication to those charged with governance. The auditor most likely would ask management whether
There were changes in the application of significant accounting policies.
The auditor should determine that those charged with governance are informed about the initial selection of and changes in significant accounting policies or their application. Moreover, the auditor should discuss the quality of the auditee’s accounting principles as applied in its financial reports (AU-C 260).
An auditor has withdrawn from an audit engagement of an issuer after finding fraud that may materially affect the financial statements. The auditor should set forth the reasons and findings in communication to the
Board of directors.
When the audit indicates the presence of error or fraud that requires a modification of the opinion, and the client refuses to accept the auditor’s report as modified, the auditor should withdraw and communicate the reasons for withdrawal to the audit committee of the board. Withdrawal may or may not be appropriate in other circumstances, depending on the cooperation of management and the board.
Which of the following matters is an auditor required to communicate to those in the entity charged with governance?
I. Disagreements with management about matters significant to the entity’s financial statements that have been satisfactorily resolved
II. Initial selection of significant accounting policies in emerging areas that lack authoritative guidance
Both I & II.
AU-C 260, The Auditor’s Communication with Those Charged with Governance, states that the matters to be discussed include (1) an overview of the planned scope and timing of the audit; (2) the auditors’ responsibilities regarding the audit, such as performing the audit to obtain reasonable, not absolute, assurance about whether the statements are fairly presented; (3) significant accounting policies; (4) sensitive accounting estimates; (5) uncorrected and corrected misstatements; (6) the qualitative aspects of the entity’s accounting practices; (7) significant difficulties during the audit; (8) auditor disagreements with management, whether or not satisfactorily resolved; and (9) any other findings and issues judged to be significant and relevant to those charged with governance. Under the Sarbanes-Oxley Act of 2002, a registered audit firm must communicate (1) critical accounting policies, (2) all alternative treatments of information within GAAP discussed with management, (3) the ramifications of using such treatments, and (4) the treatment preferred by the firm.
Which of the following matters should an auditor communicate to those charged with governance?
The process used by management in formulating sensitive accounting estimates.
Certain accounting estimates are particularly sensitive because they are significant to the financial statements, and future events affecting them may differ from current judgments. Those charged with governance should be informed about the process used in formulating sensitive estimates, including fair value estimates, and the basis for the auditor’s conclusions about their reasonableness (AU-C 260).
Dunn, CPA, is auditing the financial statements of Taft Co. Taft uses Quick Service Center (QSC) to process its payroll. Price, CPA, is expressing an opinion on management’s description of the controls implemented and their suitability of design at QSC regarding the processing of its customers’ payroll transactions. Dunn expects to consider the effects of Price’s report on the Taft engagement. Price’s report should contain a(n)
Description of the scope and nature of Price’s procedures.
The report expressing an opinion on the description of controls implemented and their design (type 1 report) includes (1) a title that includes the word independent; (2) an addressee; (3) identification of management’s description of the system and the criteria in its assertion; (4) a reference to management’s assertion and a statement of management’s responsibility for the controls; (5) a statement that the service auditor’s responsibility is to express an opinion on the fairness of management’s description of the system and the suitability of the design of the controls in meeting the objectives; (6) a statement that the examination was conducted in accordance with the AICPA attestation standards; (7) a statement that the service auditor did not test the effectiveness of the controls; (8) statements about the scope of the service auditor’s procedures; (9) a statement about the inherent limitations of controls; (10) an opinion on whether, in all material respects, based on the criteria, management’s description of the system is fairly presented and whether the controls are suitably designed; (11) an alert, in a separate paragraph, restricting the use of the report to management of the service organization and user entities; (12) the date of the report; and (13) the name, city, and state of the service auditor (AT-C 320).
The AICPA has issued additional guidance on service auditor reports. The term System and Organization Controls (SOC) report is used in this guidance. The reports obtained by the user auditor in an audit are called SOC 1 reports (type 1 or type 2). Service auditors also may prepare SOC 2 and SOC 3 reports to provide assurance on more than internal controls over financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). SOC 2 reports are to be used by those identified in the report, and SOC 3 reports may be used by any user.
An auditor’s communication with the board of directors most likely should
Indicate that it is for the sole use of the board.
Communication may be either oral or in writing and should be documented. The auditor communicates significant findings from the audit in writing when (s)he judges that oral communication is inadequate. A written communication should indicate that it is for the sole use of those charged with governance.
An audit client has substantial assets held in a trust that is managed by the trust department of a bank. Which of the following actions by the auditor is the most efficient way to obtain information about the trust department’s internal controls?
Rely on the trust department’s audit report on internal controls placed in operation and their operating effectiveness.
The audit client is a user entity that uses a service organization (the trust department of a bank) to provide services relevant to the user entity’s internal control over financial reporting. The user auditor could perform procedures at the service organization. But the most efficient way to obtain information about the trust department’s internal controls is to read an independent service auditor’s report. A type 1 report addresses management’s description of the service organization’s system and the suitability of the design of controls. A type 2 report addresses (1) these matters and (2) the operating effectiveness of the controls. If the user auditor’s risk assessment includes an expectation that the service organization’s controls are operating effectively, (s)he requires a type 2 report, assuming (s)he does not (1) test the service organization’s controls or (2) use another auditor to do so.
Which of the following best describes a CPA’s engagement to report on an entity’s internal control over financial reporting?
An audit engagement that results in issuance of a report relating to the effectiveness of internal control.
In such an attest engagement, the auditor issues a report relating to the effectiveness of the entity’s internal control over financial reporting. The practitioner, as part of engagement performance, obtains from management a written assessment about such effectiveness. AU-C 940 and AS 2201 define the objective of the engagement to express an opinion on the effectiveness of internal control over financial reporting similarly.
An issuer who is an accelerated filer subject to the Securities Exchange Act of 1934 is required to include in its annual report an auditor’s opinion on whether internal control over financial reporting was
Properly designed and operated effectively.
According to PCAOB’s AS 2201, the report states the auditor’s opinion on whether the entity maintained, in all material respects, effective internal control over financial reporting as of the specified date based on the control criteria.
Which of the following representations should not be included in a written report on internal control related matters identified in an audit under the AICPA’s auditing standards?
There are no significant deficiencies or material weaknesses in the design or operation of internal control.
No report should be issued indicating that no significant deficiencies were noted. The potential for misinterpretation would exist if the auditor issued such a report (AU-C 265).
Moor, CPA, discovers a likely fraud during an audit but concludes that its effects, if any, could not be so material as to affect the opinion. Moor most likely should
Report the finding to the appropriate representatives of the client with the recommendation that it be pursued to a conclusion.
The auditor should refer the matter of an immaterial fraud to an appropriate level of management. The appropriate level of management ordinary is at least one level above the highest level involved. However, any fraud involving (1) management, (2) employees significantly involved in internal control, or (3) others when fraud materially misstates the financial statements, is reported to those charged with governance.
