A3, M2-M4 Flashcards
T/F: The auditor should be concerned with all controls in a financial statement audit.
False. They only need to be concerned with controls related to financial reporting.
T/F: The auditor must determine the operating efficiency of controls in a FS audit.
False, this is not required in a FS audit.
The system of internal controls is relevant to (2) …
(1) to the entire entity, AND
(2) to any of the entity’s operating units or business functions
The five components of the system of internal control are applicable to the audit of (some/all) entities audited.
All
What internal frameworks can be used to assess internal control?
COSO or another framework (as long as all components addressed)
When is an auditor required to test the design and implementation of controls that address risks of material misstatements? (3 “OR” criteria)
(1) control addresses a significant risk
(2) controls over journal entries
(3) controls will be relied on by the auditor
What do preventative controls do?
provide reasonable assurance that only valid transactions are recognized, approved, and processed
Preventative controls are applied (before/after) processing occurs?
before
What do detective controls do?
provide reasonable assurance that errors/irregularities are discovered and corrected on a timely basis
Detective controls are applied (before/after) processing occurs.
after
What is an example of a detective control?
account reconciliations
How is IT important in monitoring?
Much information used in monitoring is provided by IT, so the accuracy of the IT system is crucial.
What are manual controls?
controls performed by people
What are automated controls?
controls performed using IT
When are manual controls more suitable (general)?
when judgment and discretion are required
For what types of transactions are manual controls more suitable?
large, unusual, or non-recurring
Manual controls can be used to monitor …
automated controls.
What risks do manual controls pose?
- more easily ignored or overriden
- less consistent than automated controls
For what types of transactions are automated controls more suitable?
high volume or recurring transactions
What are general IT controls (defined)?
(1) relate to many applications, AND
(2) support effective functioning and proper orientation of the information system, and
(3) support the integrity of information in the information system
What are four categories of general IT controls?
- managing access to applications
- changes in IT environment
- managing IT operations
- information-processing controls
What are User-Access Reviews?
evaluate user access over time to ensure the right people have the right level of access
What are information processing controls (defined)?
help ensure integrity of the data in an entity’s information system
What are information processing controls (examples)?
- controls over input, processing, and output
- check mathematical accuracy
What does a walkthrough accomplish (2 things)?
- obtain an understanding of the system of internal controls, AND
- test the design and implementation of the controls
What is a walkthrough?
trace the flow of transactions from inception to the financial statements
What does the auditor need to document in a walkthrough?
the key steps performed
What types of questions should the auditor ask the client when doing a walkthrough?
- understanding of procedure
- understand what happens to the information before and after handled by them
- are processing and controls performed as required and on a timely basis?
Inquiry alone in a walkthrough (is/is not sufficient).
is not
What additional procedures should be performed with the inquiry in a walkthrough (4)?
- Observation
- Reperform
- Inspect
- Corroborate with Other Inquiries
After obtaining an understanding of internal controls, what are the next three steps to do?
(2) Evaluate the design and implementation of controls.
(3) Assess risks of material misstatement, AND
(4) Design the NET of further audit procedures
What are you looking for when evaluating the design of internal controls?
Is the control capable of preventing, detecting, and correcting material misstatements?
When has a control been implemented (2 criteria)?
Control exists and is being used.
To determine whether controls have been implemented, the auditor should determine whether the individuals responsible for the controls are …
- aware of the procedure and their responsibility for it, AND
- knowledgable of how procedure should be performed
What is the true primary purpose of risk assessment (understanding internal control)?
help the auditor identify where potential misstatements may occur
What acronym tells you the different forms of documentation for internal controls?
FIND
What does F stand for in FIND?
flowchart
What does I stand for in FIND?
Internal control questionnaire or checklist
What does N stand for in FIND?
Narrative
What does D stand for in FIND?
Documentation from client (procedures manuals and org charts)
What is a flow chart?
a symbolic diagram that shows the sequential flow of authority, processes, and documents
What does a diamond typically represent on a flow chart?
a decision
What does a rectangle with the bottom curved represent on a flow chart?
a document or report
What does a trapezoid represent on a flow chart?
manual process
What does a parallelogram represent on a flow chart?
data
What is a narrative?
written version of flow chart
Flow charts are more appropriate for (less complex/more complex) control structures. Narratives are more appropriate for (less complex/more complex) control structures.
Flow Charts: More Complex
Narratives: Less Complex
Why does a strong system of internal control only provide reasonable (not absolute) assurance about achievement of objectives?
- management override
- collusion for deliberate circumvention
- human error
- external events
T/F: It is more efficient and/or cost-effective to focus on automated controls rather than manual controls.
False, not necessarily.
When testing an automated control, how many items are required for testing?
Only one, because the system is inherently consistent.
An auditor most likely would obtain an understanding of the client’s control activities (before/after) the balance sheet date.
before
T/F: Understanding the entity and its environment only occurs at the beginning of an audit.
False, you continuously gain an understanding.
T/F: Evaluating client continuance only occurs at the end of an audit.
False, you do this continuously throughout the audit.
T/F: Inquiring as to the design of controls only occurs during the planning part of the audit.
True.
If a budgetary reporting system provides adequate reports, but the reports are not analyzed and acted upon, how would you assess the implementation and operating effectiveness.
Implementation: Okay, because control exists and is used.
Operating Effectiveness: No, because reports are not being used.
When the CEO requests a check with no purchase order, this is an example of what limitation in internal controls?
management override
If an IT system is more complex, how is documentation affected?
More documentation required
What is a remittance advice?
proof of payment document sent by a customer to a business
The word “valid” is a buzzword for which assertion?
existence/occurence
To address the risk that unapproved purchase orders are processed, the control objective is to …
ensure that purchase orders are valid.
Auditors should assess the risk of material misstatement at what two levels?
(1) financial statement level
(2) assertion level
What is a relevant assertion level?
significant class of transactions, account balances, and disclosures in the financial statements
What are financial statement level risks (defined)?
- relate pervasively to the financial statements as a whole, AND
- potentially impact many individual assertions
For assertion-level risks, should inherent and control risk be assessed together or separately?
separately
For financial statement level risks, should inherent and control risk be assessed together or separately?
together
What are significant risks?
identified risks of MM where inherent risk assessment has high magnitude and likelihood
Should you include the effect of controls when determining whether a risk is significant?
No.
What do PCAOB standards say about the audit of a company with operations in multiple locations or business units?
The auditor needs to determine the extent to which audit procedures should be performed at selected locations or business units.
How does an auditor determine the amount of attention devoted to a particular location (2 things)?
- based on the assessment of the risk of material misstatement
- significant unusual transactions
What are some things an auditor should do in response to financial statement level risk (5 things)?
(1) tell audit team to maintain professional skepticism
(2) assign staff with more experience or specialized skills
(3) change NET of direction and supervision
(4) incorporate greater unpredictability
(5) change the overall audit strategy
The nature of an audit procedure includes what two things?
purpose AND type
What two approaches to procedures can an auditor take for a relevant assertion?
- substantive ONLY
- combined approach (test of controls and substantive)
When substantive procedures ONLY are used, what is control risk assessed at?
at the maximum
What three conditions indicate that substantial procedures only should be used?
(1) no effective controls
(2) implemented controls are NOT operating effectively, OR
(3) risk can be addressed efficiently from substantive procedures alone
When a combined approach is used, what is control risk assessed at?
below maximum
When are tests of controls required?
- significant amount of information is processed electronically, OR
- business conducted using IT and no documentation is produced or maintained
What are dual-purpose tests?
test of controls performed concurrently with a test of details
How are significant risks handled in the audit (beyond procedures)/
- communicate to governance
- consider in determining KAMs
- more involvement of the group engagement partner
If the auditor’s risk assessment is based on the assumption that controls are operating effectively, would tests of controls be performed or not?
Yes, because control risk assessed below the maximum.
Can the auditor test the operating effectiveness of controls while obtaining an understanding of the system of internal control?
Yes, if it is efficient ro do so.
Is testing internal controls required in a financial statement audit?
No.
What four types of procedures are used to test the operating effectiveness of controls?
- Inquiries
- Observation
- Inspection
- Reperformance
Why should observation be used with other procedures?
Because that observation is only made at one point in time. What happens when you are not watching?
Which of the procedures can be used to test design effectiveness?
Inquiries
Observation
Inspection
Which of the procedures can be used to test operating effectiveness?
Inquiries
Observation
Inspection
Reperformance
Which procedure is used exclusively for testing operating effectiveness?
Reperformance
What should the auditor do about controls they only tested during the interim period?
Perform rollforward procedures for the remainder of the year.
Can evidence obtained in prior audits about the operating effectiveness of controls be used in the current audit?
Yes, as long as controls have not been changed since they were last tested.
If controls have changed since they were last tested, what should the auditor do?
Test again.
If controls have NOT changed since they were last tested, when should the auditor still test the procedures?
Test once every 3 years.
Controls relating to what must be retested every year, regardless of the rule just discussed?
significant risks
If the auditor determines that the controls are operating effectively and can be relied upon (after tests of controls), what should the auditor do next?
proceed to substantive procedures based on RMM
If the auditor determines that the controls are NOT operating effectively (after tests of controls), what should the auditor do next?
- test alternative controls OR
- reassess control risk (increase substantive testing)
What happens when there is a deficiency in the design of controls?
not created well or control is missing
What happens when there is a deficiency in the operation of an effectively designed control?
control is not operating as it should
If monitoring controls are inadequately designed or there is no process to report control deficiencies, is this a deficiency in design or operating effectiveness?
design deficiency
If managment can easily override controls, is this a deficiency in design or operating effectiveness?
operating effectiveness
Substantive procedures are required for each …
each relevant assertion.
What are tests of details?
audit procedures to gather evidence to support account balances in the financials
What is used when there is a large volume or predictable transactions, substantive analytical procedures or test of details?
substantive analytical procedures
What provides more assurance, substantive analytical procedures or test of details?
tests of details
If only substantive procedures are performed in an audit, which procedures MUST be performed substantive analytical procedures or test of details?
tests of details
Can evidence obtained from substantive tests in a prior audit be used in the current period?
No!
After performing risk assessment procedures, an auditor might decide not to perform tests of controls because…
it would be more inefficient than substantive procedures alone
Do similar transactions from the prior year’s audit but materially higher amounts represent a significant risk?
No, because the transactions are similar.
Do complex transactions and related party transactions represent significant risks?
Yes.
Negative confirmations provide (more/less) assurance than positive confirmations.
less
Are substantive auditing procedures required in an audit of internal control?
No.
Do analytical procedures provide evidence about control risk?
No.
An audit of financial statements is a ____ process.
cumulative
Documentation of the assessed level of inherent risk should be done (before/after) the consideration of controls.
before
Would hearing employees complain about pay rates imply some sort of wrongdoing?
No.
Sending inquiry letter to client’s legal counsel must occur (before/after) year end.
after
If an auditor takes an accounting position with former clients, does this increase, decrease, or have no effect on risk?
No effect, this is common.
Are changes to a system that allow new reports to be created enough to warrant a need to retest controls this year?
No, as long as control environment is unaffected.
Before performing substantive tests at an interim date, an auditor should consider whether the amounts of the year-end balances selected for interim testing are ______ _______ with respect to amount, relative significance and composition
reasonably predictable
What is the best compensating control for the lack of segregation of duties in smaller organizations?
management oversight of incompatible functions
What is noncompliance (defined)?
(1) act of omission or commission by an entity,
(2) whether intentional or unintentional,
(3) which is contrary to prevailing laws and regulations
What three things can noncompliance result in?
- fines
- litigation
- other consequences with a material effect on the financial statements
What is management’s responsibility for compliance (2 items)?
- ensure that operations are conducted in accordance with applicable laws and regulations
- report amounts and disclosures in accordance with laws and regulations
What is the auditor’s responsibility for compliance?
obtain reasonable assurance that financial statements are free from material misstatement due to noncompliance with laws and regulations
Who is responsible for preventing noncompliance through controls (management or auditor)?
Management
Are the potential effects of inherent limitations on the auditor’s ability to detect material misstatement due to noncompliance higher or lower?
Higher.
T/F: The auditor decides whether an act constitutes non-compliance.
False. This is a legal determination.
What is a direct effect (in context of laws and regulations)?
Laws and regulations determine material amounts and disclosures.
What procedures should the auditor perform in relation to direct effects (of laws and regulations) on the financial statement?
Same as normal. Obtain sufficient appropriate audit evidence.
What is an indirect effect (in context of laws and regulations)?
indirectly effect the financial statements but have a fundamental effect on the entity’s operations
What procedures should the auditor perform in relation to indirect effects (of laws and regulations) on the financial statement?
- inquire about whether the entity is in compliance
- inspect correspondence with relevant authorities
What are four indicators of noncompliance?
- investigations by regulatory organizations
- payment of fines or penalties
- unusual payments in cash
- purchases significant below or above market price
If an auditor suspects noncompliance, what should they do?
discuss with at least one level above those suspected (and possible governance)
If management/board cannot provide sufficient information that shows entity is in compliance, when should the auditor pursue the matter further?
when the effects of noncompliance may be material
If management/board cannot provide sufficient information that shows entity is in compliance, what should the auditor do if the effects may be material (2 options)?
- Discuss with lawyers (in house or external).
- Withdraw, if applicable
When does noncompliance not have to be reported to the board?
clearly inconsequential
If the noncompliance is related to the board, what should the auditor do?
obtain legal advice
Does the auditor have a duty to report noncompliance to authorities (generally)?
No.
When does the auditor have a duty to report noncompliance?
(1) in response to inquiry from a successor auditor
(2) response to court order
(3) requirements for audits of entities receiving federal financial assistance from a government agency
If a client refuses to accept a modified report, what should the auditor do?
- withdraw, AND
- notify those charged with governance in writing
What is an accounting estimate (defined)?
monetary amount in the financials for which there is an inherent lack of precision (estimation uncertainty)
What are two reasons that estimated have to be used?
- data about past events cannot be accumulated in a timely, cost-effective manner, OR
- measurement depends on the outcome of future events
What increases the susceptibility of an account estimate to management bias?
increased subjectivity involved in making the estimate
When is there low estimation uncertainty?
simple, few assumptions
When is there high estimation uncertainty?
complex, many assumptions
Does life of an asset have high or low estimation uncertainty?
low
Does allowance for doubtful accounts have high or low estimation uncertainty?
high
What procedures can be perfomed by the auditor in responding to RMM related to accounting estimates (3) ?
(1) obtain evidence from events after the BS date
(2) test how management made the estimate
(3) develop auditor’s point estimate/range
When testing how management made the estimate, what three things does the auditor need an understanding of?
- how they selected and applied methods
- significant assumptions
- data used
What should be true about the significant assumptions made?
assumptions are consistent in the entity’s business
What does the auditor need to evaluate about the data used for an estimate?
- whether the data is relevant and reliable
- whether data has been appropriately understood and interpreted by management
What are three ways an auditor can develop a point estimate?
- use a different model
- use the same model, but different assumptions
- engage a specialist
What two things can make a model complex?
- require special skills or knowledge to understand, OR
- difficult to obtain or maintain integrity of data used in model
When management uses a more complex model, what should the auditor consider about the entity (3)?
- entity validated the theoretical soundness of the model,
- appropriate change control policies exist, AND
- mngmt has appropriate skills and knowledge to use and understand the model
What is the auditor’s responsibility in regard to estimates?
evaluate the reasonableness of significant accounting estimates
If auditor determines that an estimate is unreasonable, what is the misstatement calculation if there is a best estimate?
Client’s Estimate - Best Estimate supported by audit evidence
If auditor determines that an estimate is unreasonable, what is the misstatement calculation if there is a range of reasonable estimate?
Client’s Recorded Estimate - Closest Estimate in Range to the Recorded Amount
T/F: A related party transaction is considered to be an arm’s length transaction.
False.
What does GAAP require about related party transactions?
disclosures of all related party transactions
Related parties include which four groups?
- affiliates
- principal owners
- management
- member’s of their immediate families
A principal owner is defined by what level of ownership?
> 10%
What does an auditor need to obtain an understanding of in relation to related parties?
Understand controls/processes for:
- identifying related parties
- authorizing transactions with related parties
- accounting for and disclosing relationships and transactions
What type of statement should the auditor get from management in regards to related party transactions?
conflict-of-interest statement, including names of all related parties, nature of relationship, transactions, background information
What should the auditor ask the board about related party transactions?
- understanding of any significant or unusual relationships with related parties
- whether there are concerns regarding relationships with related parties
What audit procedures should be done related to related parties (3)?
- review filings for related parties
- review material transactions for related party evidence
- review prior year documentation and ask predecessor auditor
What three things could be indicative of related party transactions?
- compensating balance arrangements
- loan guarantees
- transactions that differ from market terms
What are compensating balance arrangements?
Bank requires you to have a certain balance to borrow, and a related party helps fund that.
What does the auditor need to do once it identifies related party transactions?
- read the underlying contracts to determine business purpose
- determine whether appropriately accounted for and disclosed
- obtain evidence that transaction was approved
What should the auditor do if they identify a related party transaction with someone management did not tell them was a related party?
Re-evaluate risk and redesign procedures as needed.
What does PCAOB require issuers to do when related party transactions are identified?
- Determine whether any exceptions were granted.
- Evaluate financial capability of parties.
- Perform procedures on intercompany accounts.
What procedures can be used to discover potential litigation, claims, and assessments?
- management inquiry
- review IRS reports/tax returns
- review minutes
- obtain letter from client’s attorney
- review correspondence from attorneys
- obtain management representation letter
(Management/Auditor) is responsible for identifying and accounting for all contingent liabilities.
Management.
What document indicates that management disclosed to the independent auditor all such relevant information (litigation, etc.)?
Management Representation Letter
What is the key purpose of the attorney letter?
to corroborate information provided by mangement
Is client approval required to obtain a letter from the attorney?
Yes.
If the client does not allow the auditor to inquire of the attorney, what two things can the auditor do?
- Disclaimer of Opinion
- Withdrawal
If the client allows inquiry, but the attorney does not want to respond to the letter of inquiry, when does this result in a modified opinion?
when inquiry related to matters that the attorney devoted substantial attention to
Who writes and delivers the letter of audit inquiry to the lawyers?
management writes, auditor mails
Who does the attorney respond to (mail to) when it answers the letter of inquiry?
auditor
When should the letter of inquiry from lawyers be received?
within two weeks of the audit report date, no earlier
What happens if the lawyer’s letter is dated earlier than two weeks from the audit report date?
The auditor will need to request an updated response.
Should the auditor confirm with the attorney whether litigation, claims, and assessments have been properly disclosed and recorded in the financials?
No, the attorney does not need to be familiar with GAAP disclosure requirements.
Can the auditor examine legal documents in the client’s attorney’s possession?
No.
What is the confidentiality limitation?
Lawyer can share about matters that are not considered confidential.
Is there an issue if the lawyer will not respond about a matter that is not considered to be material?
No, there is no issue here.
When should a loss be accrued and disclosed?
probable and reasonably estimable
When should a loss be disclosed only?
- Reasonable Possible
- Probable but Not Reasonably Estimable
When is no disclosure or JE required?
remote possibility
Is no amount in a range of reasonably estimated losses is more likely than the others, which amount should be accrued as a loss?
the lowest end of the range
What does GAAP require when there are events or conditions that raise substantial doubt about an entity’s ability to continue as a going concern?
disclosure by management
What does GAAS require of auditor’s in regards to going concern?
The auditor must evaluate whether substantial doubt exists about an entity’s ability to continue as a going concern.
You need to determine whether the entity has the ability to continue as a going concern for a …
reasonable period of time.
What is a reasonable period of time under FASB?
one year after the date the financial statements are issued (issuers) or available to be issued (nonissuers)
What is a reasonable period of time under GASB?
one year beyond the date of the financial statements
What is a reasonable period of time if the going concern basis is not applicable to the financial reporting framework (cash basis)?
one year after the date the financial statements are issued (issuers) or available to be issued (nonissuers)
What is the acronym for the four factors that may indicate substantial doubt?
FINE
What do all the letters in FINE stand for?
Financial Difficulties
Internal Matters
Negative Trends
External Matters
What are examples of financial difficulties?
Loan defaults, dividend arrearages, denial of usual trade credit, debt restructuring, noncompliance with capital requirements, new financial sources or methods, disposal of substantial assets
What are examples of internal matters?
Work stoppages, labor difficulties, substantial dependence on a single contract or project, uneconomic long-term commitments, significant revision of operations
What are examples of negative trends?
Recurrent losses, working capital deficiencies, negative cash flows, adverse financial ratios.
What are examples of external matters?
Legal proceedings, new legislation, loss of a key franchise/license/ patent, loss of a principal supplier or customer, natural disasters.
What are five mitigating factors for substantial doubt?
- plans to borrow money
- plans to restructure debt
- plans to sell assets
- plans to delay or reduce expenditures
- plans to increase ownership equity
What is the common theme in the mitigating factors?
increase cash inflows or decrease future cash outflows
Mitigating factors must include both the ____ and ___ to carry out the planned procedures.
intent and ability
For a nonissuer enagagement, what should the auditor do in the report if the substantial doubt is alleviated by management plans?
may include optional EoM paragraph making reference to management’s disclosure
For a nonissuer enagagement, what should the auditor do in the report if the substantial doubt is NOT alleviated by management plans (remains)?
include separaete section in report with heading “Substantial Doubt About the Entity’s Ability to Continue as a Going Concern”
Does the substantial doubt paragraph in a report mention “reasonable period of time”?
No, this is implied.
What terms must the substantial doubt paragraph include?
“substantial doubt” and “going concern”
For issuers, what should the auditor do in their report if substantial doubt remains?
include an explanatory paragraph with the terms “substantial doubt” and “going concern”
What other thing can the auditor of an issuer do in the report when there is a going concern?
disclaim the opinion
What should be included in the audit documentation when there is a substantial doubt (5 things)?
- conclusions that gave rise to substantial doubt
- any significant mitigating factors
- audit work performed to evaluate plans
- conclusion about whether remains or alleviated
- auditor’s conclusion on FS and disclosures
If going concern disclosures are inadequate, what opinion should be rendered?
qualified or adverse
If financials issued using going concern basis of accounting but this is inappropriate, what opinion should be rendered?
adverse
If going concern is alleviated in a future period, does the going concern explanatory paragraph need to show up in next year’s report for the comparative financials?
No.
The auditor’s primary purpose in performing a retrospective review of management’s significant accounting estimates reflected in the prior year financial statements is to …
indicate whether managment was biased, either intentionally or unintentionally
Can an attorney evaluate going concern?
No.
T/F: Footnotes will indicate whether specific information was provided by management to the auditor.
False, this is inappropriate.
Will legal counsel tell the auditor the strategy currently in place by client management to resolve the lawsuit?
Yes.
T/F: The discovery of unexplained payments made to government employees would raise a question about the occurrence of an act of noncompliance with laws and regulations.
True.
If there are inherent uncertainties regarding litigation make it impossible for outside counsel to predict the outcome of pending lawsuits, what opinion should the auditor give?
Unmodified, as long as disclosure is appropriate.
If there are nonrecurring and/or unusual transactions occurring near year-end, what can this indicate?
related party transactions
T/F: The auditor may accept the letter from external counsel even though the CPA did not get a specific amount of loss.
True.
Is a plaintiff’s demand for $50,000 an appropriate estimate of the amount or range of loss?
No!
For a warranty, how much should you accrue in the year of sale if you expect 2% in the first year and 7% in the next year?
9% in the year of sale
When performing additional tests of controls, an auditor is attempting to support a (lower/higher) level of control risk.
lower
The objective of tests of details used as tests of controls is to…
evaluate whether the controls are operating effectively
