A2 - Engagement Quality Flashcards
Who can sit on the audit committee?
○ 3-5 “outside directors” - directors who aren’t employees of the company
§ E.g. CEO usually sits on the BOD, they can’t sit on the AC though
○ Directors that don’t have a “material financial interest” in the company
§ E.g. outside director can’t have a big personal investment in the company
What does the AC do?
a) Appoint auditor and determine how much auditor is paid
b) Assurances the auditor is independent from the company
c) Review any auditor findings
d) Ensure audit is good quality
e) Ensure recommendations from auditor is given appropriate attention
f) Resolve disagreements between auditor and management
g) Evaluate internal control environment of the company
h) Report to BOD and stockholders
How often does the auditor need to be allowed private communications with the AC?
At least once a year
What are some of the things the auditor should assess before they accept an engagement?
a) Can they meet the reporting deadline
b) Do they have enough staff capacity
c) Independence
d) Management’s integrity
e) Management’s framework is acceptable
f) Management accepts responsibility for FS and internal controls
g) Management will give them access to all information relevant to the FS and unrestricted access to personnel within the company
This is one of the very rare circumstances in which “all” answers are correct
h) Scope limitations (e.g. client says that they don’t have adequate accounting records)
§ Or they can accept if a disclaimer of opinion is okay for the client’s purposes
§ If the management imposed scope limitation will result in a qualified opinion or the scope limitation is due to something beyond management’s control (e.g. a fire destroyed their records), then the auditor could still accept
What is the engagement letter and what should be included in it?
a. Addressee
b. Objective and scope of audit
§ Reasonable, not absolute, assurance
c. Responsibility of auditor
d. Responsibility of management
§ Management is responsible for preparing the FS and internal controls
e. Other relevant information
f. Reporting
g. Signature
h. Other relevant items
§ Information relating to the timing
§ Information about arrangements with the previous auditor
§ Management will provide responses in a timely manner
§ Information about specialists that will be used
What are the additional criteria for acceptance under an ERISA plan financial audit?
§ Maintain a current plan instrument
§ Plan is in conformity with the plan’s provisions
What is an ERISA Section 103(a)(3)(c) audit? What are management’s additional responsibilities?
□ Auditor doesn’t have to look at all of the investments b/c certain investments can be certified by a qualified institution
□ Management likes these types of audits b/c auditor does less and therefore management is charged less
□ If management wants to do this, they are responsible for making sure that:
® they qualify for that type of audit
® investment info can be prepared and certified
® information is appropriately measured, presented, and disclosed
□ Management also has to provide the auditor Form 5500 (not required in typical FS audit, only ERISA)
Do auditors of issuers and nonissuers need to obtain a new engagement letter every year?
- Issuers - auditor must obtain signed engagement letter EVERY YEAR
○ Signed by AC and auditor - Nonissuers - if no revision is necessary, auditor should remind management of the terms of the engagement letter (either orally or in writing)
What does the auditor have to do before the accept an audit?
*important area
○ Must talk to predecessor auditor
§ Must obtain client’s permission first
§ If management refuses, then you shouldn’t accept the engagement
○ Certain questions that they have to ask (HEAVILY TESTED AREA):
a) Management’s integrity
b) Disagreements with management
c) Reason for change in auditor
d) Any communication with AC (fraud, noncompliance, internal control matters)
e) Nature of entity’s relationships and transactions with related parties and unusual transaction
f) Look at predecessor’s working papers
What are the 6 elements of quality control?
Hint: HELP ME
1) Human Resources
§ Recruitment and hiring
§ Figure out who is going to what engagement
§ Performance evaluation, compensation, and advancement
2) Engagement/client acceptance and continuance
§ Should the firm accept a client or continue a relationship?
§ Can the firm reasonably expect to complete the engagement competently?
§ Legal and ethical requirements
3) Leadership responsibilities
§ Firm leadership bears ultimately responsibility for firm’s quality control system
4) Performance of the engagement
§ Policies & procedures to ensure engagements have proper supervision
§ Information is kept confidential and safe
5) Monitoring
§ Helps ensure policies and procedures are actually in place and being followed
□ Just b/c you have them, doesn’t mean they are followed
§ “Wrap-up” or second partner review by a partner not involved in the audit
□ Required for issuers
□ Not required for nonissuers
6) Ethical requirements
§ Helps maintain public confidence in the profession
§ Maintain independence
§ At least annually, employees fill out independence form
□ Includes their investments, spousal investments, spousal jobs, parents jobs, etc.
What is the difference between quality control standards and GAAS?
Quality Control Standards
- Applies to all professional activities of the firm
- HELP ME
GAAS
- Applies to each individual engagement
- Acceptance, risk and response, performing procedures and obtaining evidence, forming conclusions, reporting
- Doesn’t apply to stuff such as who you hired, do you have peer reviews, do you have proper training
*Failed or inadequate quality control ≠ lack of compliance with GAAS
What areas of work should an engagement partner not be delegating?
○ Critical judgement areas
○ Significant risks
○ Other areas based on significant professional judgement
What is an EQCR? Is this required for issuers and/or nonissuers?
EQCR is an engagement quality control review. It is performed by a partner not on the engagement who looks at a high level to make sure that important areas of the audit are being handled appropriately (e.g. sig judgement, independence, etc.).
Required for issuers
Performed only when required for nonissuers
Do the auditor’s working papers support the audit opinion or the client’s presented FS?
Audit opinion
○ Client’s records support their FS
○ Working papers are for us, not them
How long do you need to keep audit documentation for?
○ Nonissuer - 5 years
○ Issuer - 7 years
How long does the auditor have to gather their final documentation file after the report release date? Why does this matter?
○ Nonissuer - 60 days after report release date
○ Issuer - 45 days after report release date
○ Important date b/c after this date, you can’t delete or add anything to the file without extensive documentation
What are the 2 types of audit documentation?
- Permanent/Continuous Audit File
§ Things that are relevant for >1 year (e.g. pension plans, multi-year contracts, leases, stock options, bylaws, articles of incorporation, bond info) - Current File
§ Relates to this year (e.g. audit plan, audit report, FS, trial balance, adjusting JEs, confirmations, management representation letter, etc.)
What is a control?
a policy/procedure established to achieve the control objectives of management
What are the 3 categories of control management?
Hint: ERC
- Effectiveness and efficiency of operations
- Reliability - of financial reporting
§ Most relevant for audit - Compliance - with applicable laws and regulations
What is the COSO framework?
Committee of Sponsoring Organizations
- First released in 1992 to try and help entities reduce fraudulent financial reporting
- In 2013, the framework was updated to deal with all of the changes that have occurred since 1992
○ Introduced 17 principles that have been categorized into 5 major components
What are the 5 elements of internal controls? Which are considered direct and which indirect?
Hint: CRIME
Direct:
1. Control Environment
2. Risk Assessment
5. Monitoring Activities
Indirect:
3. (Existing) Control Activities
4. Information and Communication
What is the control environment part of internal controls?
Tone at the top of the organization
○ EBOCA
§ Ethics - commitment to ethics and integrity
§ Board - board independent and oversight
§ Organizational structure
§ Commitment to competence
§ Accountability
What is the risk assessment part of internal controls? What is the auditor’s additional responsibility in relation to IT risks?
Auditor tries to understand how management addresses risk areas
○ We want to make a “SAFR” environment
§ Specify objectives
§ Assess - identify and assess changes
§ Fraud - consider the potential for fraud
§ Risks - identify and analyze risks
- Auditor must also evaluate IT risk:
○ Potential reliance on inaccurate IT
○ Unauthorized access to data
○ Unauthorized changes to data
○ Potential loss of data
What is the (Existing) Control Activities part of internal controls?
Process an entity uses to assess the quality of their controls over time
○ CATP
§ Control Activities - select and develop control activities
§ Technology - select and develop technology controls
§ Policies - deploy policies and procedures
What is the Information and Communication part of internal controls?
○ “OIE, this is a lot of information”
§ Obtain - and use information
§ Internally - internally communicate information
§ External parties - communicate with external parties
What is the Monitoring Activities part of internal controls?
○ “Monitor your SOD to make sure the grass grows”
§ Separate and Ongoing - separate and ongoing evaluations of controls
□ Frequency depends on the risk
§ Deficiencies - communication of deficiencies
□ Not good enough to just identify
What are the 8 control activities we want an entity to have?
Hint: PAID TIPS
- Prenumbering of documents
- All transactions are recorded (completeness)
- No transactions are recorded more than once (existence)
- E.g. you can see you have checks 11, 12, and 14 but no 13
○ Or you can see you have 11, 12, 12, 13 so you have 12 twice
- Authorization and Approval of Transactions
- Happens before a transaction happens
- Affirms a transaction is valid
- Independent Checks
- Verification of work performed by somebody else
○ Have someone independent review another’s work
- Verification of work performed by somebody else
- Documentation
- E.g. need to have certain documentation in place before a transaction can be processed
- Timely and Appropriate Financial Performance Reviews
- Comparison of actual and forecast performance
- Any variances would be looked into
- Information Processing Controls
- Can be automated or manual
- Makes sure items captured by the system are recorded accurately and correctly
- Physical or Logical Controls for Safeguarding Assets
- Physical - e.g. locks to prevent access to certain rooms or passwords that you need to enter to gain access somewhere
- Logical - e.g. not everyone has access to all information in the system
- Segregation of Duties
- ARC should all be different people
○ Authorization - person who authorizes
○ Record keeping - person who records
○ Custody - person who ships items
- ARC should all be different people
As part of planning, auditors decide on:
a) Nature and Extent of Planning
b) Involvement of Key Engagement Team Members
c) Supervisors of Assistants
d) Nature, Extent, and Timing
e) Disagreement Among Auditors
Talk about each and what auditors consider when planning for them.
a) Nature and Extent of Planning
- depends on the complexity of the client
b) Involvement of Key Engagement Team Members
- partner has ultimate responsibility for audit and signing off
seniors and staff need to be supervised and work reviewed
c) Supervisors of Assistants
- schedule a call with the team prior to the audit
- inform them of the objectives of the audit, NET of procedures, any other important stuff
d) Nature, Extent, and Timing
- depends on complexity of client, nature of work, experience of team, riskiness
e) Disagreement Among Auditors
- should be brought up to the audit partner who makes the final decision
- If staff still disagree after partner ruling, the staff can decide to be disassociated from the audit
What does it mean for audits to use a “risk based” approach?
Test risky areas more heavily. Not every account is audited equally
Do auditors need to have experience in the industry of their prospective client before accepting an engagement?
No, but once accepted they need to become familiar and gain experience (e.g. through reading standards and industry guidance)
What is an audit strategy and what is included?
What is it: outlines the approach an auditor will take to conduct an audit
What is included:
- scope (including materiality)
- objectives
- timing
- required comms
- factors that determine the focus
Which would outline the nature, extent, and timing of audit procedures - the audit plan or audit strategy?
Audit strategy
What are the two categories of audit procedures?
- Risk Assessment Procedures
* Includes understanding of controls as well as environment
* Audit is risk based so this is important - Further Audit Procedures
a) Test of Controls - evaluate effectiveness of controls
b) Substantive Procedures - use to detect material misstatements by testing transactions, account balances, etc.
i. Test of Details
ii. Substantive Analytical Procedures
What additional considerations need to be made for planning an ERISA audit? What if they elect for 103(a)(3)(c)?
Normal ERISA:
a) obtain most current plan instrument
b) confirm plan tax status if they are tax-exempt
c) prohibited transactions
103(a)(3)(c) - entity gets some investments certified by a qualified institution
- need to assess how management got comfortable that the entity can certify their investments
- auditor identifies certified transactions
- auditor then doesn’t need to perform as extensive procedures
What are the 6 relevant assertions?
Hint: COVER UP
- Completeness - all accounts and disclosures that should have been included are included
- Cutoff - correct period
- Valuation, Allocation, and Accuracy - fairly stated at right amount
- Existence and Occurrence - did this actually occur, does this actually exist
- Right and Obligations - does the entity have the rights to this asset or obligation to this liability
- Understandability of Presentation and Classification - easy to understand, classified correctly
What is required in terms of communicating the audit plan to TCWG?
- written or oral
- Have to communicate significant risks identified
- During this communication, auditor can also ask questions to gain a further understanding of the entity and where TCWG see risky areas
What is additionally included in a group audit engagement plan?
- Extent that group engagement team will use work of component auditor
- Whether they are going to reference the component auditor or take full responsibility
Can audit plans be altered once they’ve been made?
Yes - can and usually are changed throughout the audit as new evidence is gathered by the auditors
What are the things auditors can’t share responsibility with IA for?
- Issuing report
- Audit decisions
- Judgments
- Assessments made as part of the audit
What can IA help the auditor with?
- Gaining understanding of client’s internal controls
- Assessing risk - while IA can’t help directly with highly judgmental areas, their general work can help inform the external auditor’s risk assessment
- Performing control testing - external audit can leverage IA’s control testing provided they have found the IA’s to be competent and reliable
- Performing substantive procedures - this would mostly be through an IA’s assessment of an area as higher risk and therefore the external auditor plans more procedures
Would we consider IA to be independent of the client?
No
Can IA work along eliminate work for amounts with:
a) High RMM
b) High subjectivity
c) Low RMM
d) Low subjectivity
High RMM - no
High subjectivity - no
Low RMM - yes
Low subjectivity - yes
If the external auditor is going to rely on the IA’s work is used in obtaining audit evidence, what must be assessed?
- Competence
- Objectivity - we want IA to report to someone high up, not the audit department
- Whether IA function applies a systematic and disciplined approach, including quality control
What are specialists
Special skill in a field other than auditing
What is the difference between a management and auditor specialist
- Auditor Specialist
- Person auditor hires in helping obtain sufficient, appropriate audit evidence
- Management Specialist
- Hired by management to help prepare financial statements
What should be agreed upon with a specialist and does it need to be in writing
- Nature, scope, and objectives of the work
- Respective roles and responsibilities of both parties
- Nature, timing, and extent of communication
- Confidentiality requirements (if any)
*doesn’t need to be in writing
Can an auditor blindly rely upon the evidence of a specialist
No - need to have enough knowledge to be able to understand if it seems right.
Can do this through talking with the specialist, reviewing the support they used, etc.
What should an auditor evaluate about a specialist before relying on their work
- Need to evaluate competence, capabilities, and objectivity of a specialist
- Competence and Capability - look at education, experience, reputation, etc.
- Objectivity - assess independence
When would you/would you not refer to a specialist in an auditor’s report
- Do not refer to specialist if:
- Management’s specialist
- Auditor is expressing an unmodified/unqualified opinion
- Refer to specialist if:
- Modified opinion due to specialist’s findings
- Explanatory paragraph added
- Helps users understand a CAM/KAM
Are IT auditors considered specialists
No - their expertise is considered to be in accounting
Do agreements with component auditors need to be written?
Yes
When is a misstatement material?
When that misstatement (individually or in aggregate) would substantially impact the decision making of a user
What are the benchmarks that can be used for calculating materiality?
- Total revenue
- Gross profit
- Profit before tax from continuing operations
- Net assets
What are performance materiality and tolerable misstatement and which is for issuer/nonissuer?
Amounts set by an auditor at <materiality (usually a %) for the FS to reduce the probability of an undetected material misstatement.
PM –> nonissuer
TM –> issuer
What is a clearly trivial misstatement?
- Even when aggregated, wouldn’t affect anything
What is audit risk?
The risk that the auditor issues the wrong opinion
What is the difference between a factual misstatement, a judgmental misstatement, and a projected misstatement?
- Factual Misstatements - there is no doubt
- e.g. they buy a copier that cost $5,000 and is recorded at $500
- Very objective
- Judgmental Misstatements
- Arise from differences in judgement
- E.g. management has their estimate for AFDA and the auditor disagrees
- Projected Misstatements
- Auditor comes up with their best estimate of a misstatement in a sample and projects it to the population
In the formula audit risk = RMM * Detection risk, what are the two types of risk that make up RMM and what do they mean?
Inherent Risk - the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a material misstatement, before any consideration of related controls
Control Risk - risk that the client’s internal controls don’t catch or prevent a material misstatement
What are the 5 things inherent risk is based upon?
- Complexity
- The more complex a calculation or business transaction is, the more likely that the account or disclosures will be incorrect
- Subjectivity
- Something is subject to opinion (e.g. choosing depreciation or valuation method)
- Change
- When there is change, there is a higher likelihood that something will go wrong
- E.g. application of new accounting principles, expansion
- Uncertainty
- Anything that is outstanding (e.g. warranties, legal claims)
- Management bias or other fraud risk factors
- e.g. transactions not at arms-length
When would IR be assessed as high vs low?
*MUST KNOW
- High risk:
- High-volume, unique, or individually significant transaction
- Complex or subjective calculations
- Amounts derived from estimates
- Cash (companies that deal with a lot of cash)
- Other factors that increase IR:
- When things aren’t going well for the company
- Technology that renders a product obsolete
- Lack of working capital
- Decline in overall industry or economy
- Low risk:
- If the account is not likely to contain a material misstatement
When is control risk assessed as high vs low? What are the implications on the amount of testing the auditor needs to perform?
Low if client has effective internal controls that the auditor can rely on
* Auditor needs to test the controls to confirm their operating effectiveness
* Allows for a reduced amount of substantive testing
Control risk is high if (NEED TO MEMORIZE)
- There are no effective controls
- Implemented controls aren’t operating effectively
- Sufficient, appropriate audit evidence can only be obtained through substantive testing
Auditor needs to perform more thorough testing b/c they cannot be relied on
What is detection risk? Can detection risk ever be eliminated completely? What is the relationship between detection risk and RMM?
What is detection risk?
- risk that the auditor won’t detect a material misstatement
- function of our audit test work
Can detection risk ever be eliminated completely?
- no, some amount will always exist b/c we can’t issue absolute assurance
What is the relationship between detection risk and RMM?
* Detection risk and RoMM have an inverse relationship
* High RoMM –> set low DR
* Low RoMM –> set high DR
○ Level of RoMM determines the level of DR
○ Logically, if you think the likelihood of RoMM is higher, you need your DR to be lower meaning you catch more stuff
What are the 3 ways an auditor controls detection risk?
- Nature - change the nature of substantive tests (from less effective to more effective)
- Extent - change the extent of substantive testing performed
- Timing - change the timing (e.g. perform at YE instead of interim)
Can the auditor decrease IR/CR based on their procedures? What about DR?
- can’t do anything about IR/CR, these depend on the client’s systems of operations
- you can change your assessment of them throughout the audit, but nothing you do will change the actual levels
- DR is raised/lowered depending on the NET of your procedures
What are the steps to assessing audit risk?
Step 1: Determine AR
* Usually set at a low risk b/c nobody wants to get sued
* If a question doesn’t tell you the AR, assume it’s low
Step 2: Assess IR
* High if accounts are likely to contain a RMM
○ Low if vice versa
Step 3: Assess Control Risk
* 3 ways CR is high
○ Note: if CR is high, RMM will always be high
* If CR is low, then test controls
Step 4: Detection Risk
- Based on the assessed levels of IR and CR
- Based on the ratio (AR/(IR∗CR)), we know that as RMM increases, DR decreases
What is the difference between fraud and error?
Fraud - intentional
Error - unintentional
What are the types of fraud?
- Fraudulent Financial Reporting (lying)
- Intentional misstatements/omissions of amounts disclosed in the FS
- Trying to deceive users of FS
- Including:
○ Manipulation, falsification, or alteration
○ Misrepresentation or intentional omission
○ Intentional misapplication of accounting principles - Usually done by management - they have the technical knowledge to do it
- Misappropriation of Assets (stealing)
- Theft of assets
○ Some steals assets or pays for something not received - Can be done by anyone
- Theft of assets
What are the 3 conditions for fraud?
- Incentives/Pressures
- Person committing fraud has a reason to commit (e.g. trying to get bonus or tough management)
- Opportunity
- Lack of effective controls
- Rationalization/Attitude
- Justify their fraudulent behavior somehow
What are each party’s responsibilities in relation to fraud?
Management’s Responsibility
* D&I of controls to prevent, deter, and detect fraud
Auditor’s Responsibility
- Plan and perform the audit to obtain reasonable assurance
- Specifically assess RMM due to fraud and identify higher risk areas
- Continue to assess fraud throughout the audit
What is the ET’s responsibility in relation to discussing fraud?
- MUST have a discussion of fraud with the entire audit team
- Brainstorm regarding:
- What areas might be high risk for fraud
- How management could hide fraud
- How assets could be misappropriated
- Emphasize professional skepticism
What are the 3 ways that the ET obtains information regarding fraud?
- Inquire of Entity Management
- E.g. operating personnel, legal counsel, IA, TCWG
- Consider Results of Analytical Procedures
- Planning Phase - analytical procedures over revenue
○ Make sure growth in revenue makes sense
- Planning Phase - analytical procedures over revenue
- Evaluate Fraud Risk Factors
- Lack of observation of any 3 doesn’t mean there was no fraud
What are the 3 ways that the auditor tries to respond and address risks?
- Overall, General Response
- Assign experienced personnel
- Determine appropriate supervision
- Vary audit procedures
- Evaluate management selection of principles
- Specific Procedures (NET)
- Can vary the:
○ Nature
○ Audit
○ Timing
- Can vary the:
- Risk of Management Override
- Look at nonstandard/unusual entries
- Review entries for bias
- Review unusual transactions
What are the documentation requirements around fraud?
Documentation should include:
* Fraud risk assessment
* Response
* Discussion among engagement personnel
* What auditor identified as riskier areas
* If the auditor didn’t want to identify fraud identified, explain why
Who should the auditor tell about indications of fraud?
- Any indication of fraud –> discuss with a level of management one above those involved
- Fraud that causes a material misstatement –> discuss with client’s senior management and report directly to TCWG
- If fraud relates to client’s senior management –> tell TCWG
- Risk factors representing a material weakness or significant deficiency –> tell client’s management and TCWG
