A3 Flashcards
type of audit required for an issuer
integrated audit (F/S & I/C)
Client Acceptance Policies
- Firm’s Ability to Meet Reporting Deadlines
- Firm’s Ability to Staff the Engagement
- Independence
- Integrity of Client Management
- Group Audits
Management Responsibilities for Audit
financials and internal controls
Preconditions of an Audit
- applicable financial reporting framework
2. management responsibilities
What to do if there is a management imposed scope limitation
- audit required by law or regulation (permitted but not required)
- qualified opinion or circumstances beyond their control can result in acceptance
3 Types of Fraud in Audit
- financial statement
- asset misappropriation
- corruption
Engagement Letter Contents
- objective and scope of an audit
- responsibilities of auditor
- responsibilities of management
- statement that because of the inherent limitations of an audit
- identification of the applicable financial reporting framework
- reference to the expected form and content of any reports
Considerations for Initial Audit
- MANDATORY: communication with the predecessor auditor
* *examine workpapers
* *disagreements
* *management integrity
* *reason for change in auditors
* *client PERMISSION is needed - Auditor’s Responsibility
* *opening balances could contain misstatements
* *accounting policies have been consistently applied in the current period
Responsibilities of Engagement Partner
- planning the audit
- supervising the work of engagement team members
- compliance with relevant auditing standards
Knowledge of the Client’s Business and Industry
- can accept engagement but then must obtain this knowledge
- tour client facilities
- review the financial history
- obtain an understanding of client accounting
- inquire of client personnel
Developing the Audit Strategy
- WRITTEN audit strategy
- Scope of the Audit (Extent)
- Reporting Objectives, Audit Timing, and Required Communications (Timing)
- Factors that Determine the Focus of the Audit (nature)
Factors that determine the focus of the audit
- materiality
- audit risk
- internal controls
PCAOB Standards for Audit Strategy
- knowledge of internal control
- matters affecting industry
- extent of recent changes
- preliminary judgments about materiality and risk
- control deficiencies previously communicated
- legal or regulatory matters
- complexity of the company’s operations
Materiality for an Audit on the Financial Statements as a Whole
*should use the smallest level of misstatement that could be material to any one of the financial statements
Communication with Those Charged with Governance in initial planning stages of audit
*planned scope and timing
Developing the Audit Plan
- MUST BE WRITTEN
1. audit procedures - risk assessment procedures
- further audit procedures
- tests of controls
- substantive procedures
2. financial statement assertions
3. drafting the audit plan
Financial Statement Assertions
C ompleteness O cutOff V aluation, allocation, and accuracy E xistence and occurence R ights and obligations U nderstandability and classification
PCAOB Financial Statement Assertions
C ompleteness E xistence O ccurence A llocation P resentation R ights O bligations V aluation E D isclosure
Role of Client’s Internal Auditors
- cannot help in matter involving judgment and/or assessment
- the higher up they report, the more objective they are
- NOT independent
Auditor’s Responsibility with Internal Auditors
*obtain understanding and assess competence and objectivity
Use of Specialists when Auditing
- treat the specialist like one of your staff
* competence, capabilities, and objectivity
Types of Misstatements
- factual misstatements
- judgmental misstatements
- projected misstatements
Audit Risk Model
AR = IR x CR x DR
Can substantive procedures ever not be performed during an audit?
No
3 Categories to which assertions apply
- transactions
- account balances
- disclosures
Fraud Triangle
- pressure
- opportunity
- rationalization
Auditor’s Responsibility when it comes to Fraud
- design audit to obtain reasonable assurance about whether the financial statements are free of material misstatement
- difficult to detect fraud due to the concealment aspects
- should discuss risks with engagement personnel
PCAOB Standards for Fraud
*ask management and audit committee if they have received and responded to tips or complaints regarding the company’s financial reporting
When are analytical procedures required during an audit?
- planning
2. final review
Does the absence of fraud risk factors mean that there is no fraud risk?
No
Presumption of Risk in All Engagements
- improper revenue recognition
2. management override of controls
Items most susceptible to manipulation
- high degree of management judgment and subjectivity
2. highly complex accounting principles
Levels to Respond to Assessed Fraud Risk
- general response
- response encompassing specific audit procedures
- response addressing risks related to management override
significant risks? withdraw
Communications of Fraud to Management/Those Charged with Governance
*report to management at least one level above those involved
Instances where third party disclosure is necessary regarding fraud
- comply with certain legal and regulatory requirements
- to a successor auditor when the successor makes inquiries with permission of client
- response to a subpoena
- funding agency or other specified agency for clients that receive governmental financial assistance
- authorities in some circumstances
Auditor’s Consideration of Noncompliance
obtain understanding of
- legal and regulatory framework
- how the entity is complying with that framework
Reporting Noncompliance in the Auditor’s Report
- material effect = GAAP = except for or adverse
- insufficient evidence = GAAS = except for or disclaimer
- client response/refuse = GAAS = withdraw
Assessing the Risks of Material Misstatement
I nternal control understanding M aterial misstatement risks A assessed level of risk response C ontrol testing P erform substantive testing A udit evidence - evaluate appropriateness and sufficiency
Two Procedures Necessary in Every Audit
- analytical procedures
- risk assessment procedures
*test of operating effectiveness of controls is NOT required
Risk Assessment Procedures
- perform analytical procedures
- conduct a discussion among engagement team members
- inquire of the audit committee and management about the RMM
- inquiries
- observation and inspection
Required Documentation for Assessing RMM
- discussion among audit team
- key elements of the understanding of the entity and its environment
- the assessment of the risks of material misstatement
- identified risks and related controls evaluated by the auditor
- more complex = more extensive = more documentation
PCAOB = include assessment on particular locations (CPI)
Five Components of Internal Control
*COSO framework
C ontrol environment R isk assessment I nformation and communication systems M onitoring E xisting control activities
*think of pyramid
Key phrase for the five components of internal control
*auditor should obtain an understanding and knowledge of each component
Circumstances that are red flags about management’s philosophy and operating style
- consumed with meeting budget
- dominated by one person
- compensation contingent upon the entity’s financial performance
Control environment has a ________ effect on the auditor’s risk assessment and preliminary judgments
pervasive
Strong vs. Weak control environment and timing of procedures
Strong: interim and roll forward
Weak: as of the balance sheet date
Risk Assessment is whose responsibility when it relates to the five components of internal controls
management’s responsibility
Information and Communication Systems - 5 Components of I/C
- initiate
- authorize
- process
- record
- report
Control Activities in a Strong Control Environment
P renumbering of documents
A uthorization of transactions
I ndependent checks to maintain asset accountability
D ocumentation
T imely and appropriate performance reviews
I nformation processing controls
P hysical controls for safeguarding assets
S egregation of duties
Segregation of Duties (not IT)
C ustody
A uthorization
R ecording
Two key elements of internal controls
- preventative
* detective and corrective
When assessing the RMM, the auditor should be
identifying types of potential misstatements
Auditor should look at what when considering the internal controls
- design
- implementation
- procedures
- WALKTHROUGHS AND INQUIRIES
- document all understandings
Documentation Types
F lowchart
I nternal control questionnaire or checklists
N arrative
D ocumentation from the client, including copies
Issue when IT systems are used and records are continually modified
*difficult for timing of testing since records continually update
The “IT Exception”
- cannot solve detection risk through substantive testing alone
- must do SUBSTANTIVE AND CONTROL TESTING
Segregation of Duties (IT)
C ontrol group O perators P rogrammers A nalyst L ibrarian
*weakness comes from doing or supervising another area
IT Weaknesses
G I G O
Service Organizations and Internal Controls
Service Auditor Reports
- reports only on design and implementation
* *should not reduce the assessment of control risk - reports on design, implementation, and effectiveness
* *can be used to reduce the assessment of control risk
Two Types of Audit Approaches
- substantive approach
- combined approach (reliance method)
*IT requires internal control assessment and substantive procedures
If the auditor wants to rely on the operating effectiveness of internal controls, when must the test of controls be performed?
in the current period
Nature of Tests of Internal Controls
- using audit evidence hierarchy
* inquiry alone is not sufficient
Audit Evidence Hierarchy
A uditor evidence E xternal evidence I nternal evidence O ral evidence U KNOW IT
*inquiry alone is not sufficient
Can you use evidence obtained in prior audits about operating effectiveness of controls be used in the current audit?
Yes
Timing of Substantive Procedures
RMM low = interim (roll forward)
RMM high = at balance sheet date
Evaluating the Sufficiency and Appropriateness of Audit Evidence
- revising the assessed RMM
- modify planned audit procedures
- document it
- *overall response
- *NET
- linkage of those audit procedures
- results of audit procedures
- conclusions reached
primary purpose of evaluating internal control
*material misstatements could exist in the financials
Can you evaluate the risk for internal control while obtaining an understanding of it?
Yes