9.6

Question 1

To what degree, if at all, is a significant deficiency related to a material weakness?

Answer 1

It is less severe than a material weakness.

A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness but that merits attention by those charged with governance.

Question 2

Which of the following best describes a CPA’s engagement to report on an entity’s internal control over financial reporting?

Answer 2

An audit engagement that results in issuance of a report relating to the effectiveness of internal control.

In such an attest engagement, the auditor issues a report relating to the effectiveness of the entity’s internal control over financial reporting. The practitioner, as part of engagement performance, obtains from management a written assessment about such effectiveness. AU-C 940 and AS 2201 define the objective of the engagement to express an opinion on the effectiveness of internal control over financial reporting similarly.

Question 3

An auditor is auditing a mutual fund company that uses a transfer agent to handle accounting for shareholders. Which of the following actions by the auditor would be most efficient for obtaining information about the transfer agent’s internal controls?

Answer 3

Review reports on the suitability of design and operating effectiveness of controls produced by the agent’s own auditor.

The mutual fund auditor can use the service auditor’s report to gain an understanding of the controls and to assess the risk of material misstatement at the transfer agent.

Question 4

Management of an issuer subject to SEC requirements requests the auditor to report on whether a previously reported material weakness in internal control continues to exist. The request comes 3 months after the annual audited financial statements and report on internal control were released.

Answer 4

The auditor may accept the engagement if management provides a statement that the identified material weakness no longer exists.

PCAOB AS 6115 applies to engagements solely to report on whether a previously reported material weakness continues to exist. Such an engagement is voluntary and may be performed as of any reasonable date selected by management. To perform such an engagement, the auditor should receive a written report from management that the identified material weakness no longer exists as of the date specified. The auditor then applies appropriate procedures to assess whether remediation has been accomplished.

Question 5

An auditor is auditing internal control in conjunction with the audit of financial statements for an issuer. The auditor is considering the appropriate materiality level for planning the audit of internal control. Relative to the materiality level for the audit of the financial statements, materiality levels for the audit of internal control are

Answer 5

The same.

Auditing standards indicate that the auditor should use the same materiality considerations in the audit of internal control over financial reporting that (s)he would use in planning the audit of annual financial statements.

Question 6

In identifying matters for communication with an entity’s audit committee, an auditor most likely would ask management whether

Answer 6

It consulted with another CPA firm about accounting matters.

Unless all those charged with governance are managers, the auditor should communicate his or her views on significant accounting and auditing matters about which management consulted with other accountants (AU-C 260).

Question 7

In an integrated audit, an auditor should issue an adverse opinion on the effectiveness of an entity’s internal control in which of the following situations?

Answer 7

A material weakness exists.

An audit of the effectiveness of internal control over financial reporting is integrated with an audit of the financial statements. If the engagement determines that a material weakness exists, the auditor should express an adverse opinion on the effectiveness of internal control (AU-C 940).

Question 8

Which of the following statements is true about an auditor’s communication with those charged with governance?

Answer 8

This communication should include management changes in the application of significant accounting policies.

The auditor should communicate to those charged with governance, among other things, management’s selection of and changes in significant accounting policies or their application. The auditor also should determine that those charged with governance are informed about the methods used to account for significant unusual transactions and the effects of significant accounting policies in controversial or emerging areas (AU-C 260).

Question 9

When the regular audit leading to an opinion on financial statements discloses specific circumstances that create suspicion that fraud may exist, and the auditor concludes that the results of such fraud, if any, could not be so material as to affect the opinion, (s)he should

Answer 9

Refer the matter to the appropriate representatives of the client with the recommendation that it be pursued to a conclusion.

The auditor should refer the matter of an immaterial fraud to an appropriate level of management. The appropriate level of management is at least one level above the highest level involved. The auditor should also be satisfied that, in view of the organizational position of the likely perpetrator, the fraud has no implications for other aspects of the audit or that those implications have been adequately considered (AU-C 240).

Question 10

The development of constructive suggestions to a client for improvements in its internal control is a

Answer 10

Desirable by-product of an audit engagement.

During an audit, the auditor may become aware of matters related to internal control that may be of interest to management and those charged with governance. Those matters meeting the definition of significant deficiencies or material weaknesses in internal control should be communicated in writing. Other deficiencies that merit attention should be communicated to management either orally or in writing. The auditor may make constructive suggestions to the client for improvements in its internal control for the benefit of management or others.

Question 11

The activities of the user entity and the service organization have a high degree of interaction. The user auditor

Answer 11

Need not test the service organization’s internal control if the user entity has effective controls related to service organization processing.

The significance of controls at the service organization depends on the degree of interaction between its activities and those of the user entity. The degree of interaction is the extent to which the user entity can, and chooses to, implement effective controls over service organization processing. In these circumstances, the user auditor may be able to obtain an understanding from the user entity of the service organization’s services that suffices to assess the RMMs. Accordingly, the user auditor need not obtain a type 1 or type 2 report.

Question 12

A service auditor’s report on internal control may be issued on management’s description of a service organization system and the suitability of the design of controls or management’s description of a service organization system and the suitability and operating effectiveness of controls. Which of the following is true about a type 1 report?

Answer 12

It should state that the auditor did not test the effectiveness of the controls.

A service auditor’s type 1 report should contain a statement that the auditor did not test the effectiveness of the controls.
The AICPA has issued additional guidance on service auditor reports. The term System and Organization Controls (SOC) report is used in this guidance. The reports obtained by the user auditor in an audit are called SOC 1 reports (type 1 or type 2). Service auditors also may prepare SOC 2 and SOC 3 reports to provide assurance on more than internal controls over financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). SOC 2 reports are to be used by those identified in the report, and SOC 3 reports may be used by any user.

Question 13

Which of the following is least likely indicative of a significant deficiency or material weakness in internal control?

Answer 13

A potential future internal control problem having no effect on the current period.

According to AU-C 265, the auditor should communicate material weaknesses and significant deficiencies in internal control to management and those charged with governance. A material weakness is a deficiency, or combination of deficiencies, in internal control such that a reasonable possibility exists that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. However, an auditor is not required to report a potential future internal control problem unless it affects the period under audit.

Question 14

Which of the following statements is true about the auditor’s communication of a material weakness in internal control?

Answer 14

Suggested corrective action for management’s consideration concerning a material weakness need not be communicated to the client.

Although the auditor should communicate material weaknesses to management and those charged with governance, suggested corrective action need not be communicated.

Question 15

During the audit of internal controls integrated with the audit of the financial statements, the auditor discovered a material weakness in internal control. The auditor most likely will express a(n)

Answer 15

Adverse opinion on internal control.

Material weaknesses are significant control deficiencies that result in more than a remote chance that a material misstatement will result in the financial statements. A material weakness requires the auditor to express an adverse opinion on the effectiveness of internal control.

Question 16

Dunn, CPA, is auditing the financial statements of Taft Co. Taft uses Quick Service Center (QSC) to process its payroll. Price, CPA, is expressing an opinion on management’s description of the controls implemented and their suitability of design at QSC regarding the processing of its customers’ payroll transactions. Dunn expects to consider the effects of Price’s report on the Taft engagement. Price’s report should contain a(n)

Answer 16

Description of the scope and nature of Price’s procedures.

The report expressing an opinion on the description of controls implemented and their design (type 1 report) includes (1) a title that includes the word independent; (2) an addressee; (3) identification of management’s description of the system and the criteria in its assertion; (4) a reference to management’s assertion and a statement of management’s responsibility for the controls; (5) a statement that the service auditor’s responsibility is to express an opinion on the fairness of management’s description of the system and the suitability of the design of the controls in meeting the objectives; (6) a statement that the examination was conducted in accordance with the AICPA attestation standards; (7) a statement that the service auditor did not test the effectiveness of the controls; (8) statements about the scope of the service auditor’s procedures; (9) a statement about the inherent limitations of controls; (10) an opinion on whether, in all material respects, based on the criteria, management’s description of the system is fairly presented and whether the controls are suitably designed; (11) an alert, in a separate paragraph, restricting the use of the report to management of the service organization and user entities; (12) the date of the report; and (13) the name, city, and state of the service auditor (AT-C 320).
The AICPA has issued additional guidance on service auditor reports. The term System and Organization Controls (SOC) report is used in this guidance. The reports obtained by the user auditor in an audit are called SOC 1 reports (type 1 or type 2). Service auditors also may prepare SOC 2 and SOC 3 reports to provide assurance on more than internal controls over financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). SOC 2 reports are to be used by those identified in the report, and SOC 3 reports may be used by any user.

Question 17

To ensure that the audit report for an issuer is prepared in accordance with Section 404 of the Sarbanes-Oxley Act of 2002, the report must

Answer 17

Attest to and report on the internal control assessment made by the management of the issuer.

Section 404(a) requires an issuer to include in its annual report an internal control report (1) stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and (2) an assessment of the effectiveness of the internal control structure and procedures for financial reporting. Section 404(b) requires the issuer’s auditor to report on the effectiveness of internal control over financial reporting. [But the requirement in 404(b) does not apply to nonaccelerated filers (issuers with market equity of less than $75,000,000).]

Question 18

Firms subject to the reporting requirements of the Securities Exchange Act of 1934 are required by the Foreign Corrupt Practices Act of 1977 to maintain satisfactory internal control. Moreover, the Sarbanes-Oxley Act of 2002 requires that annual reports include (1) a statement of management’s responsibility for establishing and maintaining adequate internal control and procedures for financial reporting, and (2) management’s assessment of their effectiveness. The role of the registered auditor relative to the assessment made by management is to

Answer 18

Determine whether management’s report is complete and properly presented.

According to PCAOB AS 2201, the auditor must express (or disclaim) an opinion on the effectiveness of internal control. Moreover, if the auditor determines that elements of management’s annual report on internal control over financial reporting are incomplete or improperly presented, the auditor should modify his or her report to describe the reasons for this determination.

Question 19

In an integrated audit, if an auditor concludes that a material weakness exists as of the date specified in management’s assertion, the auditor should take which of the following actions?

Answer 19

Issue an adverse opinion.

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that a reasonable possibility exists that a material misstatement of the entity’s annual or interim financial statements will not be prevented or detected on a timely basis. A material weakness requires the auditor to express an adverse opinion on the effectiveness of internal control.

Question 20

The auditor is required to communicate each of the following items to those charged with governance except

Answer 20

All control deficiencies detected during the course of the audit.

The auditor should communicate in writing significant deficiencies and material weaknesses, not all control deficiencies, to management and those charged with governance.