A2 "QC, Engagement Acceptance, Planning, and IC" Flashcards
All CPA firms must adhere to a sound system of ___ no matter what level of service it provides.
quality control
What is the acronym to help remember the six interrelated elements of quality control?
HELP ME
What does HELP ME stand for? What is the acronym for?
“HELP ME” maintain quality control in my audit practice:
• HR - hiring competency, staffing, development, and advancement.
• Engagement acceptance & continuance - look for management integrity, evaluate audit firm’s capability of completing engagement, and consider potential conflicts of interest.
• Leadership responsibilities - “tone at the top” influences attitudes throughout firm
• Performance - (of the engagement) policies/procedures in place to ensure a good work, good supervision, and good reviews (people and engagements).
• Monitoring - such as second partner review and peer review
• Ethical requirements - independence, integrity, and objectivity (SOX)
= aka “wrap up review” where a partner otherwise not involved in the audit reviews the audit documentation before the report can be issued.
- Required by SOX for every public company audit report.
second partner review
= when one CPA firm reviews another CPA firm’s compliance with its quality control system
(make sure they have developed adequate policies/procedures and actually using them).
- Required every 3 years (minimum)
peer review
= ongoing consideration and evaluation of design and effectiveness of your quality control system.
- Partners bear the this responsibility
monitoring
The nature and extent of a firm’s quality control policies and procedures will vary based on its…
size, structure, complexity, and cost-benefit considerations.
You must understand the difference between _____ (which apply to all the professional activities of a firm’s practice) and ____ (which apply to individual audit engagements). These are not synonymous terms
quality control standards
generally accepted auditing standards
(Failed quality control ≠ Failed GAAP or GAAS)
All work performed on the audit should be reviewed by the ___ or have some of the review responsibility delegated to other members of the audit team with the ___ having final responsibility for the audit.
partner
auditor’s implement quality control procedures to provide reasonable assurance that…
- ) audits comply with professional standards and
- ) audits comply with legal/regulatory requirements
- ) audit reports are appropriate
[standards, laws, quality]
Although the engagement ___ is responsible for the overall quality of the engagement, he or she may delegate responsibility for certain procedures to other members of the engagement team.
partner
Who can perform engagement quality control reviews?
partner, another internal or external party, or a team of such individuals (unaffiliated with the engagement) if required by the firm’s policies and procedures.
> only performed when required by the firm’s policy and procedures
needs to be completed BEFORE the partner releases the audit report!
includes:
- discussion of significant findings
- reading the FS
- review of audit documentation
- eval of conclusions
quality control review
TorF: PCAOB requires all audits of issuers to have an engagement quality review and concurring approval of audit report issuance
True
Note: For nonissuers. quality reviews are required by firm policy, while for issuers, quality reviews are required by the PCAOB.
what serves as the primary record of the work performed and provides support for the audit opinion rendered on the financial statements?
audit documentation
What is audit documentation supposed to support?
OUR work and OUR opinion.
Not the client’s financials - THIER records support THEIR financials.
The purpose of ___ is to provide evidence supporting the basis for conclusions reached in the audit report and achievement of the auditor’s overall audit objectives, and to provide evidence that the audit was conducted in accordance with GAAS and applicable legal and regulatory requirements.
audit documentation
Who does audit documentation belong to?
the auditor
however, the auditor may not disclose workpapers without client permission or court order
Audit documentation should be detailed enough so that an experienced auditor, with no previous affiliation with the audit, can understand…
a. the NET of audit procedures performed;
b. the audit results and evidence obtained;
c. any significant findings or issues
d. the conclusions reached
[procedures, results, conclusion, issues]
Audit documentation should ___ their accounting records support their FS.
verify
AD should show that accounting records reconcile with the FS
- provide record of accumulated evidence, showing the procedures performed, evidence examined, and conclusions reached (TW)
- enable external quality control inspections
- assist successor auditors
- show who performed the work, who reviewed the work, and when
- include copies of significant contracts or agreements
the roles audit documentation plays
= the date on which the auditor grants the client permission to use the report.
(defines the beginning of the retention period too)
report release date
= the date by which final documentation must be assembled
documentation completion date
Note: Documentation must not be deleted after this date!
Ex. say you found a mistake and want to fix it - DONT
Any additions to the WP must be documented as such Ex. "The following notes were added after the release date..."
Nonissuers:
Documentation completion date = Report release date + __ days
60
Issuers:
Documentation completion date = Report release date + __ days
45
Documentation retention requirements:
• ___ years for audits of nonissuers.
• ___ years for audits of issuers.
Five
Seven
= includes audit documentation that has a continuing interest from year to year.
Ex. contracts, pension plans, leases, stock options, bylaws, articles of incorporation, meeting minutes, bond indentures and internal info.
- Carry forward from year to year
permanant file (continuous file)
= contains all audit documentation applicable (relevant) to the year under audit.
- See paperclip with list of whats generally included
current file
- audit plan
- FS and audit report
- TB, adjusting JEs, and reclassification entries
- Letters of representation
- Confirmations
- copies of entity documents (contracts, agreements, significant transactions)
- significant audit findings
- test of controls records
- substantive test records
current file contents
- matters related to the selection and application of acct principles (especially complex or unusual transactions/estimates/uncertainties)
- high risk issues
- possible MMs
- matters causing significant difficulty in applying audit procedures
- matters that might result in modification of the opinion or inclusion of an emphasis-of matter paragraph.
significant audit matters
= symbols indicating the work has been performed. Audit documentation should include a key explaining the tickmarks used.
tick marks
What are the 3 Types of Fraud?
- FS fraud (Lie)
- Asset misappropriation (Steal)
- Corruption (Cheat)
who is responsible the selection and appointment of the external auditor?
audit committee
The auditor should consider:
- firm’s quality control
- firm’s ability to meet reporting deadlines*
- ability to staff the engagement
- firm’s independence, the integrity, and whether to do a group audit
(*affected by factors like the timing and complexity of engagement and availability of staff)
pre-acceptance checklist
Before accepting an engagement, the auditor should make sure the following preconditions are met:
- FRF used by the client is acceptable
- obtain mngt agreement acknowledging their responsibilities (FS + IC +access to info)
The auditor should not accept an engagement if there will be a ___ imposed by management prior to engagement acceptance, that will result in the auditor ___ an opinion on the financial statements.
scope limitation
disclaiming
(note: a lack of records = scope limitation)
= agreement on audit engagement terms
- should be accepted (signed and dated) by client and included in audit documentation.
engagement letter
An ___ is a presumptively mandatory audit requirement.
The auditor must establish an understanding with the client regarding the services to be performed
engagement letter
Required Contents:
a. Objective and scope of the audit b. MR (mngt responsibility) c. AR (auditor's responsibility) d. Inherent risk statement* e. ID applicable FRF f. Reference the expected form and content of any reports (audit report)
engagement letter contents
Statement that due to inherent limits of an audit and IC, an unavoidable risk exists that some MM may not be detected (even though the audit is properly planned and performed in accordance with GAAS).
Inherent risk statement
required to be included in the engagement letter
For recurring audits, the auditor should assess whether circumstances require the terms of the engagement to be ___.
revised
What are examples of situations in which the engagement letter might need to be revised?
change in senior management
change in ownership
changed in nature or size of the business
change in legal or regulatory requirements
change in FRF
special engagement terms
indication that management misunderstands the objective of the audit
Is it mandatory for intital audit, that the auditor make inquiries of the predecessor auditor (with the client’s permission)?
Yes; inquiries such as
- whats mngt’s integrity like?
2 what disagreements did you have with mngt over acct principles, auditing procedures, etc. - whats your understanding of the reason for the change in auditors?
- communication to mngt and AC regarding fraud, noncompliance with laws, and IC matters?
You can also review the prior auditors workpapers too.
What happens if the client does not give permission to speak to the predecessor auditor?
That is a big scope limitation and the auditor should consider whether to accept the engagement.
During the course of an engagement, a client may ask the accountant to change an audit to a compilation or review, or a review to a compilation. Before agreeing to a change, what should the auditor consider?
[reason, effort, cost]
a. consider if there is an acceptable reason for a change
b. the effort required and estimated additional cost to complete the engagement
A client may ask the accountant to change an audit to a compilation or review, or a review to a compilation. What are acceptable reasons for change? What are unacceptable reasons for change?
acceptable reasons
- change in client requirement
- misunderstanding as to the nature of the service rendered
unacceptable reasons
- the engagement would uncover errors or fraud
- the client is attempting to create misleading or deceptive FS
What should the auditor do if the client:
- refuses to allow correspondence with legal counsel or
- refuses to provide a signed representation letter
consider withdrawing
An accountant is generally precluded from issuing a report when either of those things occur
What factors determine the nature and extent of planning?
size + complexity + auditors prior experience.
> less complex operations/processes, > fewer business lines, > more centralized accounting, and > more involvement of senior management in day-to-day = less extensive planning needed for the audit
What are the four main tasks during the planning stage of an audit
industry knowledge
audit strategy
audit plan
risk assessment
Who has primary responsibility for audit planning?
engagement partner
as well as supervision of ee and compliance with auditing standards
What helps to highlight practices unique to that industry that may affect the client’s FS and provides information regarding events and transactions that may impact the client’s FS?
Obtaining understanding / knowledge of the client’s industry
TorF: Auditors are required to have prior experience with a client’s business/industry before accepting the engagement.
False
The auditor is not required to have prior experience with a client’s business/industry before accepting the engagement. As long as they obtain an understanding of their industry after acceptance.
How do you gain knowledge about the clients business?
> Tour client facilities
Review client’s financial history
Understand the client’s accounting
Inquire client personnel
= outlines the scope of the audit engagement, the reporting objectives, timing of the audit, required communications, and the factors that determine the focus of the audit.
[scope, objectives, timing, communication, focus]
audit strategy
- basis of reporting, currency, locations.
- industry-specific or regulatory requirements
- size and complexity of the entity (parent-sub relationships)
- prior experience
- recent changes in the company
- type/extent of evidence on the IC
Characteristics defining scope (extent “NET”) of an audit:
What are matters to consider when determining the timing of an audit (T in NET)
- deadlines for interim/final reporting
- key dates for meetings with mngt
- timing of audit team communications/meetings/reviews
[deadlines, BOD meetings, reviews, communications]
- prelim evals of materiality, audit risk, and IC
- material locations and account balances
- areas of higher risk of MM
- significant acct changes
- significant developments
Factors that determine the focus (nature “NET”) of the audit:
___ IC = more interim work
___ IC = more YE work
Strong
Weak
= list of audit procedures. Is based on the audit strategy and outlines the nature, timing, and extent of the procedures to be performed during the audit. Including:
- risk assessment procedures
- planned further procedures (TOE and substantive procedures)
(a written one is required)
audit plan
= assess the risk of MM and determine the NET of further audit procedures.
risk assessment procedures
= or “test of controls”, auditors test IC in order to (a) understand them and (b) rely on them.
- We test their effectiveness at preventing or detecting MM.
test of operating effectiveness (TOE)
= Auditor tests account balances. Trying to confirm dollar $ balances.
substantive procedures
$ubstantive
Audit procedures can be categorized as either ___ procedures or___ procedures.
risk assessment
further audit
- completeness
- cutoff
- accuracy
- classification
- occurrence
transactions & events assertions
- completeness
- allocation & valuation
- rights & obligations
- existence
account balances assertions
- completeness
- understandability & classification
- rights & obligation
- valuation & accuracy
presentation and disclosure assertions
NOTE: FS are not statements of fact. They are ___ and ___ made implicitly or explicitly by management about the recognition, measurement, presentation, and disclosure of information in the FS.
claims and assertions
auditors use ___ to form a basis for assessing risk and for the design and performance of further audit procedures.
assertions
What are the six main financial statement assertions?
COVERU
- Completeness
- CutOff
- Valuation, allocation, and accuracy
- Existence and occurrence
- Rights and obligations
- Understandability and classification
= all account balances, transactions, and disclosures that should have been recorded have been recorded it included in the FS.
(Are there any missing JEs (empty seats) in the GL? Did everything get recorded?)
completeness
= transactions have been recorded in the correct accounting period.
cutoff
= account balances, transactions, and disclosures are recorded fairly and at appropriate amounts, and any resulting valuation or allocation adjustments are appropriately recorded.
valuation, allocation, and accuracy
= account balances exist, in transactions that have been recorded and disclosed have occurred and pertain to the entity.
(Are any of these JE fake? Did these transactions actually happen?)
existence and occurrence
= the entity holds or controls the rights to assets, and liabilities are the obligations of the entity.
rights and obligations
= transactions have been recorded in the proper accounts. Financial information is appropriately presented and described, and disclosures are clearly expressed.
understandability and classification
True or False:
1. There may be more than one relevant assertion related to the same transaction/ account balance
- Audit procedures may provide evidence to support only one assertion
- More than one procedure may be required to fully support an assertion (ex. In order to ascertain completeness of inventory, inventory counts and inspection of receiving ports may be necessary)
- true
- false (ex. Inventory counts obtain evidence about both completeness and existence of inventory)
- true
As the audit progresses, the initial audit plan may need to be ___ in response to changing conditions or the results of other procedures.
modified
= different audit teams in different locations (Big4)
group audit teams
The group audit team should also develop an audit plan (strategy), which should include the ___ to which the team will use the work of component auditors.
extent
Using work of others. Who can ‘others’ be?
Clients Internal Audit
IT Auditor
Component Auditor
Specialists
Are auditors allowed to make use of the client’s internal auditor?
Yes
However, Internal auditors (IA) are not independent and therefore CANNOT make any judgement calls on the audit.
For assertions related to material FS amounts with high risk of MM/subjectivity, the IA’s work alone cannot eliminate testing by the CPA.
If the external auditor plans to use the internal auditor to provide ___, the internal auditor’s ___ and ___ should be assessed.
direct assistance
competence
objectivity
= reflected by education, professional certification, experience, performance evals, the audit plan, audit procedures, and the quality of IA documentation
competence
= reflected by the org level to which the IA reports, and if they have policies prohibiting IA from working in areas they lack independence.
objectivity
How is IA competence and objectivity assessed?
- prior experience
- prior evaluation
- talk to mngt
How do you assess whether IA applies a systematic and disciplined approach?
it’s reflected by the existence, adequacy, and use of documented IA procedures/guidance covering such areas as risk assessment and quality control.
The ___ the level IA reports to, the more objectivity you can assume they are. (AC is highest, assistant controller is lowest )
higher
The auditor cannot share with IA any of the ___ for audit decisions, judgments, or assessments made.
responsibility
= person or firm with special skills in a field other than accounting or auditing.
Ex. actuaries, appraisers, attorneys, engineers.
specialist
What are the two general types of specialists?
auditor’s specialist
management (company) specialist
Treat mngt specialist like one of the audit staff (eval their competency, capabilities, and objectivity) HOWEVER they’re still not ___ and therefore cant make judgement calls.
independent
= an individuals whose works in a field other than accounting or auditing is used by the auditor to assist in obtaining sufficient appropriate audit evidence. They maybe an internal specialist employed by the auditor’s firm or an external specialists.
auditors specialist
= an individual whose work in a field other than accounting or auditing is used by the entity to assist the entity in preparing financial statements
managements specialist
The ___ must be competent, have the professional capabilities, and be objective.
specialist
A specialist is not mentioned in the auditor’s report if an ___ opinion is issued.
When a ___ opinion is issued, the auditor may reference the work of the specialist if the auditor receives prior permission from the specialist.
unmodified
modified
Someone possessing specialized knowledge in information technology participating in the audit is called an ___, not a specialist.
IT auditor
The IT auditor is considered a member of the engagement team
Can the IT auditor be used throughout the audit to obtain an understanding of internal control, assess risks, and perform control test work and substantive procedures?
Yes
Who supervises and reviews the work performed on the audit, including the work performed by any IT auditors?
audit partner
A component auditor performs work on the financial information of a component that will be used as audit evidence for a ___.
group audit
A ___ may be engaged to obtain sufficient appropriate evidence over a component or may be required by law or regulation.
component auditor
Note: a component auditor can be:
> part of the engagement firm
> a network firm
> another firm (different CPA firm you’re teaming up with)
Who is responsible for determining the need for a component auditor and for evaluating the adequacy of the component auditor’s work?
group auditor
For audits of group financial statements, the auditor should use his or her understanding of each component auditor to determine whether to make ___ to the individual component auditor in the auditor’s report.
reference
If the group engagement partner decides to assume responsibility for the work of a component auditor, will they make reference or not make reference in the auditor’s report?
NOT make reference
When is materiality and performance materiality determined?
When establishing the audit strategy
When establishing the audit strategy, the auditor should determine
- ___ for the FS as a whole,
- ___ materiality
- materiality ___ for particular classes of transactions, account balances, or disclosures.
materiality
performance
levels
= defined by the U.S. Supreme Court is: “a substantial likelihood that the … fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information available.”
materiality
auditor should use the ___ level of misstatement that could be material to any one of the FS.
smallest
___ is necessary when determining materiality for the financial statements as a whole. Both ___ and ___ factors should be assessed when determining materiality for the financial statements as a whole.
Professional judgment
qualitative and quantitative
= facts and circumstances
Ex. JE that changes a small loss into a small profit might be quantitatively immaterial but qualitatively material.
qualitative factors
- percentages of FS items Ex. total revenue, gross profit, profit from continuing operations, net assets - benchmarks (industry averages) - FS items users tend to focus on - size of the entity - PT FS results - known or expected changes
Factors used to assess materiality:
= represents the amount established by the auditor at less than materiality for the FS as a whole, to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the FS as a whole.
performance materiality
= is the maximum error in a population that the auditor is willing to accept and is the application of performance materiality to sampling procedures.
tolerable misstatement
‘Ex. Calculating materiality.png’
see paperclip by A2M6
Separate ___ ___can be applied to classes of transactions, account balances, or disclosures for which misstatements of a lesser amount than materiality for the financial statements as a whole could influence the decisions of users.
materiality levels
When should auditors set separate lower materiality levels for particular accounts or disclosures?
when there is a substantial likelihood that a misstatement of amounts less than materiality established for the financial statements as a whole would influence the judgment of a reasonable investor
The auditor should perform ___, which enable the auditor to identify and assess the risks of material misstatement and make informed judgments about other audit matters.
risk assessment procedures
(judgements about: )
- materiality - application of acct procedures - special audit consideration - expectations so analytical procedures - eval evidence
name the sides of the Fraud Triangle
> Pressure
Opportunity
Rationalization
- Industry, regulatory, and other external factors
- The applicable FRF
- Technological factors
- The nature of the entity
- The selection and application of accounting policies
- The entity’s objectives, strategies, and business risks
- The entity’s financial performance
- The group, its components, and their environments
risk assessment includes obtaining an understanding of the entity and its environment, such as:
- inquiries of management and others within the organization;
- analytical procedures that study plausible relationships between financial and nonfinancial data
- audit data analytics (ADAs),
risk assessment procedures used by an auditor
= which involve analyzing patterns, identifying anomalies, and extracting other useful information in data.
audit data analytics (ADAs)
When are analytical procedures required?
planning stage and final review stage
- they can be high level (compare FS to budget)
- assist in determining the NET of procedures
required or not required?
- analytical procedures –>
- risk assessment procedures –>
- test of operating effectiveness of controls –>
required
required
not required
During planning, the auditor is specifically required to perform analytical procedures related to ___ in order to identify unusual or unexpected relationships that might indicate ___ (including fraud).
revenue
material misstatement
As part of the auditor’s ___, the auditor must obtain an understanding of the entity’s internal control.
risk assessment process
The purpose of ___ is to help a company meet its objectives (reliable financial reporting, effective/efficient operations, and compliance with laws/regulations).
internal control
The reliability of financial reporting controls (objectives) is ___ relevant to the audit than controls relating to operations or compliance.
more
Controls related to operations and compliance may occasionally be relevant to the audit if they relate to non financial data used in analytical procedures or they relate to non compliance with laws that have direct and material effect on the FS
What are the five components of internal control?
“It’s a CRIME to not have a good system of IC”
• Control environment
• Risk assessment (this is management’s assessment, not the auditor’s)
• Information and communication systems
• Monitoring
• Existing control activities
AUD visual A
CRIME.jpg
When the clients control environment is ___, the auditor may perform more substantive procedures as of balance sheet date rather than at interim.
- modify the nature of the test to obtain more persuasive evidence
- increase the extent of testing (include more items and locations)
weak
When the clients control environment is ___, the auditor may perform tests at interim date rather than balance sheet date.
- use tests that provide somewhat less persuasive evidence
- reduce extent of testing
strong
= overall tone of the organization
> provides discipline and structure as the foundation for all other components
> originates/generated by management
- comm/enforcement of integrity and ethical values of the people at the top.
- written policy statements, codes of conduct,
- mngt actions to reduce unethical acts, mngt reactions to violations.
- commitment to competence (hiring, training, evaluations, promotions, compensation)
- mngt approach to risk-taking, attitudes toward FR/accounting functions
- org structure and establishment of key areas responsibility and lines of reporting
RED FLAGS: mngt consumed with meeting the budget, mngt is dominated by one person, mngt compensation is contigent upon financial performance.
control environment
= management’s identification of risk. (Where can lying, stealing, and cheating occur?)
Circumstances where risk could arise:
- change in operating/regulatory environment
- new personnel
- new information systems
- rapid expansion of operations
- new technology
- new business models/products
- corp restructuring
- acquisition of foreign operations
- adoption of new/different acct principles
risk assessment (management’s)
= support the identification , capture, and exchange of info in a timely manner.
- a means of recording transactions and communicating responsibilities - ID and record all valid transactions - process and account for system overrides or bypass controls (alarms) - describe transaction in sufficient detail to allow proper classification - measure and record the proper monetary transactions/events in appropriate period - present transactions and related disclosures properly in FS
Information (information and communication systems)
- acct processing (manual and automated) from initiation to inclusion in the FS
- acct records (manual and electronic), initiating, authorizing, recording, processing, and reporting transactions
- significant acct policies
- controls surrounding JE (scrutinize any unusual period-end JEs)
- development of acct estimates
For accounting information systems (AIS), auditors should understand:
- providing an understanding of individual roles and responsibilities for IC over FR
- may be written (policy, manuals), oral, or by example.
- communication btw mngt and AC
- communication btw mngt and external parties (regulators)
communication (information and communication systems)
= assessment of IC performance over time
- monitor controls to make sure they're operating as intended - modify IC appropriately for changes in conditions - includes taking corrective action - note: establishing and maintaining IC is managements job
monitoring
= the internal controls, policies, and procedures currently in place
- controls are either preventative or detective - policies and procedures that help ensure mngt directives are carried out and risks are addressed. - Rule: fraud and errors should be prevented and/or detected by employees in the ordinary course of their job.
existing control activities
Clients IC should separate what three functions?
Custody of assets
Authorization
Record keeping
(CAR = segregation of duties)
= designed to provide reasonable assurance that only valid transactions are recognized, approved, and submitted for processing. Applied before the processing activity occurs
Preventative controls
= designed to provide reasonable assurance that errors or irregularities are discovered and corrected on a timely basis. Normally performed after processing has been completed
Detective controls
CPA responsibility: Understanding of each element of CRIME as it pertains to ___.
financial reporting (FR)
= Is the control capable of preventing/detecting and correcting material misstatements (either individually or in combination with other controls)?
design
= Does the control exist and is it being used? (aka “present and functioning)
- This is usually answered during a WT.
- Is the control operator aware of the procedure and their responsibility for its performance?
- Does the control operator have a working knowledge of how the procedure should be performed?
implementation
The understanding of D&I is obtained through the following procedures (which must be documented):
- Inquiry of entity personnel
- Observation of the application of controls and of the entity’s premises and plant facilities
- Inspection of documents and records
- Walk-throughs
= trace the flow of transactions through the accounting system from inception through recording in the GL and presentation in the FS.
- eval the design of relevant IC - determine if certain controls have been implemented - procedures include inquiry + other procedures (inspect, observe, re-perform) since inquiry alone is not sufficient.
walkthrough
Auditors must document their understanding of the D&I of the entity’s IC. (including the sources of the info from which understanding was obtained).
Documentation may include any items the auditor can FIND:
Flowchart
IC Questionnaire or Checklist
Narrative (hard to see weaknesses in the control)
Documentation from the client (copies of procedure manuals and org. charts)
IC are meant to prevent and/or detect fraud and errors. What are the two exceptions?
Collusion and Mangement override
IC will pick up on errors
What are the three inherent limitations of internal control?
management override of controls,
human error, and
collusion.
How can information technology benefit the five (CRIME) components of internal control?
- faster processing
- improved efficiency
- improve effectiveness of IC
- process large volumes of transactions accurately & consistently
- improved timelines
- effective security controls
- enhanced monitoring
- *enhanced SOG (has 5 instead of 3)
> Control group (IA)
> Operators
> Programmers
> Analysts
> Librarians
What are some risks information technology post to the five (CRIME) components of internal control?
- unauthorized access to data
- reliance on inaccurate systems
- unauthorized changes to data, systems, or programs
- failure to make required updates to systems
- inappropriate manual intervention
- potential loss of data (accidentally deletes or hackers)
= internal controls performed by people and are more suitable when judgment and discretion are required
- large ,unusual, non-recurring transactions
- Potential misstatements are difficult to define or project
- Changes in circumstances that require change in controls
- They are also used to monitor automated controls
- However they may pose additional risks because they can be more easily ignored or overridden
- They are subject to human error and are less consistent than automated controls
Manual controls
= internal controls performed using IT and are more suitable for
- high volume or reoccurring transactions
- control activities that can be adequately designed and automated
Automated controls
what involves automated means of originating, processing, storing, and communicating information?
Information technology (IT)
An entity’s use of information technology affects both the evaluation of ___ and the procedures used to gather ___, but it does not affect the auditor’s objectives.
internal control
evidence
list the auditors IC objectives
- reporting
- operating
- compliance
^^ these stay the same whether the client has a manual environment or a computerized environment.
An entity’s IT environment may consist of multiple layers of supporting IT infrastructure. Examples of different layers include…
hardware = servers, computers, data centers and other equipment.
software = FR software and any enterprise resource planning (ERP) systems used by the entity
network = internet connectivity, firewalls, security
operating systems = manages system resources and hardware
data storage = traditional infrastructure (data centers) or cloud infrastructure
How are the following impacted by manual v.s computerized environments? (higher/lower, more/less)
- uniform processing consistency
- paper audit trails
- risk of unauthorized access
- uniform processing consistency: lower, higher
- paper audit trails: more, less
- risk of unauthorized access: lower, higher
Substantive testing alone may not be sufficient. Test of controls should be performed to assess control risk in highly ___ systems.
computerized
Auditors are not expected to be IT experts. But they are expected to have enough IT-related knowledge to:
a. communicate audit objectives (to the IT auditor)
b. eval the sufficiency of procedures performed
c. eval the results of the procedures performed
[communicate, eval results]
what does CAAT stand for?
computer assisted audit techniques
- Transaction tagging — electronically marks specific transactions.
- Embedded audit modules — sections of program code collect data for the auditor.
- Test data — use of the client’s system to process the auditor’s data, offline.
- Integrated test facility — use of the client’s system to process the auditor’s data, online (e.g., test data commingled with live data).
- Parallel simulation (reperformance test) — use of the auditor’s system to reprocess client data and then compare results with the client’s files.
computer assisted audit techniques (CAATs)
= allow auditor to perform tests of controls and substantive tests directly on the clients system.
generalized audit software package (GASP)
- examine transactions for control compliance
- selecting items meeting specified criteria
- recalculating amounts and totals
- reconciling data from two separate files
- performing statistical analysis on transactions
Tasks performed by GASP (generalized audit software package) include:
- allow auditors to sample and test a much higher percentage of transactions, which should result in a more reliable audit
- require little technical knowledge of clients hardware & software features
- After initial use, they can significantly reduce audit time without sacrificing quality
Advantages of GASP (generalized audit software package):
The NET of ___ depends on:
- size, nature, and complexity of the entity - nature of work assigned - risk of MM - qualifications of the assistant
supervision
