A5, M1-M4 Flashcards
Can a different CPA firm perform the audit of the financial statements and the audit of internal control in an integrated audit?
No, the same firm has to do both parts of the audit.
What specifically is the auditor auditing in relation to internal controls (in an integrated audit)?
audit management’s assertion on the effectiveness of ICFR
What standards are used for an integrated audit of a public company?
PCAOB
What standards are used for an integrated audit of a non-issuer?
AICPA’s SAS 130
What is the auditor’s objective in an audit or internal control?
express an opinion on the effectiveness of internal controls
The (client’s/auditor’s) work supports internal controls. The (client’s/auditor’s) work supports the opinion about internal controls.
Client’s Work; Auditor’s Work
The date specified in management’s assertion about internal controls is the same as what other date?
the balance sheet date
If there is a material weakness in the IC, can the internal control be considered effective?
No, because they can create material misstatements in the financials.
The audit of internal control uses the same control criteria as …
management uses for its evaluation
Tests of controls should be designed to provide sufficient appropriate audit evidence to support both …
- opinion on internal control
- control risk assessment for the FS audit
Where is management’s internal control report included?
within the issuer’s annual report
What four things MUST management do in order for the audit of internal control to be performed?
- accept responsibility for effectiveness of IC
- evaluate effectiveness using suitable criteria
- support evaluation using sufficient appropriate evidence
- provide written assessment in a report
T/F: Management can rely on the auditor’s procedures for its assessment of internal control.
False. In fact, a statement that they did not rely on auditor’s procedures is required in the management rep letter.
Does the management have responsibility for updating the auditor on significant changes to internal control after the “as of” date of the report?
Yes.
What acroynym is used to identify the four items that the auditor should study when obtaining an understanding of the entity’s industry?
FELT
What does the F in FELT stand for (industry understanding)?
financial reporting practices of the industry
What does the E in FELT stand for (industry understanding)?
economic conditions
What does the L in FELT stand for (industry understanding)?
laws and regulations
What does the T in FELT stand for (industry understanding)?
technological changes
What should the auditor consider when looking at management’s method of evaluating control effectiveness (4)?
methods used, process of testing, consistency of testing, internal auditor’s qualifications
What materiality level is used in the internal control portion of the audit?
the same the materiality level for the FS
T/F: A separate risk assessment process is needed when the auditor does an integrated audit.
False, the same risk assessment process is used.
What are the three types of management fraud, and their accompanying simple terms?
- Financial Statement Fraud (Lying)
- Asset Misappropriation (Stealing)
- Corruption (Cheating)
Which form of management fraud is the most common?
financial statement fraud
Can an auditor use the work of others in evaluating the effectivness of internal control?
Yes.
What three traits must be true of the person whose work the auditor uses?
- competent
- objective
- qualified
With greater risk, a (greater/lesser) degree of competence and objectivity is required.
greater
In higher risk areas, are auditors more or less likely to use the work of others?
less likely
What is the top-down approach used for?
to select controls to test
What are the three components of the top-down approach?
- Evaluate overall risks at the FS level.
- Consider controls at the entity level.
- Focus on RMM of accounts, disclosures, and assertions.
Entity-level controls are usually controls related to ____.
CRIME
Evaluation of risk factors is the (same/different) for the audit of financial statements and an audit of ICFR.
same
The auditor should determine whether the components of ICFR are (2)?
- Present and functioning in design, implementation, and operation, AND
- Operate together in an integrated manner
What does the internal auditor do?
monitor systems to ensure they are present and functioning effectively
Design effectiveness is usually tested through what audit procedures?
walkthroughs, which involve inquiry, observation, and inspection
Operating effectiveness is usually tested through what audit procedures?
inquiry, inspection of documentation, observation, recalculation, reperformance
Is inquiry alone sufficient to support a conclusion about operating effectiveness?
No!
T/F: The auditor is responsible for obtaining sufficient appropriate evidence to support an opinion about each individual control.
False, only needs to support an opinion on the effectiveness of entity’s internal control overall.
T/F: An individual control has to operate without any deviation to be considered effective.
False, but too many deviations can become a problem.
Does an auditor reference the service auditor’s report in the auditor’s report on internal control?
No.
What two things does the auditor need to obtain when a service organization is part of an entity’s internal control?
- understanding of relevant controls at the service organization
- evidence that controls at the service organization are operating effectively
What three ways can the auditor obtain evidence that controls at the service organization are operating effectively?
- obtain service auditor’s report
- test the entity’s controls over the activities of the service organization
- perform tests of controls at the service organization
What does benchmarking of automated controls mean?
no need to repeat testing from the previous year for operating effectiveness
Benchmarking is most effective in (high/low) risk situations.
low
Can evidence obtained from the FS audit be used to form an opinion on IC?
Yes.
Logistically and high-level, how does an IC audit work if the ultimate goal is to evaluate management’s assessment of IC?
- Auditor forms their own opinion about IC.
- Auditor evaluates management’s report on IC, and finds if there are any discrepancies.
What is the date of management’s report on IC?
the end of the entity’s most recent fiscal year
What should the auditor do if management refuses to provide a report on IC?
withdraw from the engagement
When does the auditor modify their report on IC (2 situations)?
- Incomplete: Management does not include disclosures for 1+ material weaknesses.
- Improperly Presented
What is the auditor’s responsibility for additional information included in mangement’s IC report?
- Auditor should read the information to ensure there are no material inconsistencies. AND
- Disclaim an opinion on the information.
The audit of ICFR results in an opinion in internal control (as of a point in time/for the entire year).
as of a point in time
To render an opinion on internal control, the auditor should obtain evidence about the effectiveness of selected controls over ____ ___ ____.
all relevant assertions
T/F: Restricted use language is required in the communication of internal control deficiencies in a financial statement audit.
True.
T/F: Restricted use language is required in the communication of internal control deficiencies in an integrated.
False, no restriction is required.
According to the Sarbanes-Oxley Act of 2002, a chief executive officer must certify each of the following, except:
A. The annual financial report.
B. The quarterly financial report.
C. The management internal control report.
D. The financial expertise of the audit committee.
D. The financial expertise of the audit committee
Scope, procedures, and purpose of internal control procedures is (the same/different) in FS audit and IC audit of a nonissuer.
different
T/F: Management provides assurance about its internal controls in its representation letter.
False, they do not provide assurance, only a representation.
Is this statement included in an auditor’s report on the integrated audit: A company’s internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America.
Not exactly. The part about “effected by those charged ..” is not included in the audit report’s definition of internal controls.
To who, when, and how should the auditor report control deficiencies found in an integrated audit of a non-issuer?
Who: Management
When: Within 60 days of report release date
How: Writing
To who, when, and how should the auditor report significant deficiencies found in an integrated audit of a non-issuer?
Who: Management and Board
When: Before Report Release Date
How: Writing
To who, when, and how should the auditor report material weaknesses found in an integrated audit of a non-issuer?
Who: Management and Board
When: Before Report Release Date
How: Writing
To who, when, and how should the auditor report control deficiencies found in an integrated audit of an issuer?
Who: Management + Inform audit committee that this communication was made
When: Before report release date
How: Writing
To who, when, and how should the auditor report significant deficiencies found in an integrated audit of an issuer?
Who: Management + Inform audit committee that this communication was made, and Audit Committee
When: Before report release date
How: Writing
To who, when, and how should the auditor report material weaknesses found in an integrated audit of an issuer?
Who: Management + Inform audit committee that this communication was made, and Audit Committee
When: Before report release date
How: Writing
In an integrated audit, should the auditor re-communicate significant deficiencies or material weaknesses previously communicated but not corrected?
Yes.
What are the main categories of items mentioned in the auditor’s communication to management and those charged with governance (integrated audit)?
- Addressee
- Intro: GAAS, advise you
- Our Responsbility: plan audit, obtain reasonable assurance
- Deficiency and Material Weakness Definitions
- Listing of Material Weaknesses
- Definition of Significant Deficiencies
- Listing of Significant Deficiencies & Effects
- Restriction of Use Paragraph
- Auditor Signature, Address, Date of Auditor’s Report
Who is the communication to management and governance limited to?
only for management, governance, others within the organization, governmental authorities
Can the auditor’s report state that no deficiencies less than material weaknesses were identified?
No.
Can the auditor’s report state that no material weaknesses were identified?
No, this is too high a level of assurance.
What two ways are there for issuing a report on internal controls?
(1) separate reports issues for FS audit and IC audit
(2) combined report for both opinions
What is the title of the separate report on IC for a non-issuer?
Independent Auditor’s Report
What is the subtitle for the separate report on IC for a non-issuer?
Report on Internal Control Over Financial Reporting
What are the various sections of the separate report on IC for a non-issuer?
- Opinion on ICFR
- Basis for Opinion
- Responsibility of Management for ICFR
- Auditor’s Responsibility for Audit of ICFR
- Definition and Inherent Limitations of ICFR
- Report on Other Legal and Regulatory Requirements
- Report on Audits of ICFR
What does the opinion section include for a separate report on IC for a nonissuer?
- We have audited [company’s] internal control over financial reporting, as of [date], based on [criteria used, like COSO].
- In our opinion, [Company] maintained, in all material respects, effective internal control over financial reporting as of [date], based on [identify criteria].
- We also have audited, in accordance with GAAS, [financial statements] of [company].
- Our report dated [date] expressed [nature of opinion].
If you issue a separate report on IC for a nonissuer, what extra paragraph do you have to include in the opinion?
that you also audited the financial statements and the nature of the opinion
What four things are included in the Basis for Opinion for a non-issuer’s separate report over IC?
- GAAS
- more responsibilities in Auditor’s Responsibility section
- independent & ethical
- We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.
What two things are included in the management’s responsibility section for a non-issuer’s separate report over IC?
- design, implementation, and maintenance of effective ICFR
- assessment of effectiveness of ICFR, included in the accompanying report [title of report]
What is included in the auditor’s responsibility section for a non-issuer’s separate report over IC?
- obtain reasonable assurance about effective ICFR in all material respects
- issue report
- reasonable assurance is high, not absolute, so may not detect all material weaknesses
- follow GAAS
- exercise professional judgement + professional skepticism
- Obtain understanding of ICFR
- assess risks of material weakness
- test and evaluate design and operating effectiveness of ICFR
What two inherent limitations are mentioned in a non-issuer’s separate report?
- may not prevent, or detect and correct, misstatements
- projections of any assessment into the future are subject to the risk that controls become inadequate (changes in conditions or compliance may deteriorate)
What is the date of a non-issuer’s separate report on IC?
the same as the date of the report for the audit of the FS
How is an unmodified opinion on ICFR worded?
In our opinion, [Company] maintained, in all material respects, effective ICFR as of [date], based on [identify criteria.]
How is the basis for opinion section different when you do one combined report for a nonissuer?
It is not!
What does the management responsibility section look like for combined report, nonissuer?
- preparation and fair presentation of FS
- design, implement, maintain IC
- assessment of IC, included in accompanying [title of report]
- substantial doubt about ability to continue as going concern
What opinion on IC is expressed when there is a material weakness in IC?
adverse opinion
How is the report modified (headings only) when there is a material weakness in IC?
- Adverse Opinion on IC
- Basis for Adverse Opinion
What is the wording for an adverse opinion on IC?
Because of the effect of material weaknesses described in the Basis for Adverse Opinion section on the achievement of objectives of [identify criteria], [Company] has not maintained effective ICFR as of [date].
What additional statement is included in the Adverse Opinion on ICFR section (nonissuer)?
We considered the material weaknesses described in the Basis for Adverse Opinion section in determining the NET of audit procedures applied to the audit of FS, and this report does NOT affect such report on the FS.
What two things are added to the Basis for Adverse opinion section if the nonissuer’s report is modified so?
- Material Weakness Definition
- Listing of Material Weaknesses
Should the non-issuer’s auditor consider the effect of an adverse opinion on IC on the FS opinion?
Yes.
Does the non-issuer’s auditor indicate whether the opinion on FS was affected by the material weakness?
Yes.
What should the auditor do if management’s report includes the material weakness, but does not present it fairly?
Auditor’s report should fairly describe the material weakness.
If the auditor of an issuer presents a separate report, what additional paragraph must be added to the report on the financial statements?
add a paragraph after the opinion that states that the ICFR was also audited based on control criteria, date, and nature of opinion
How is the opinion section formatted for the combined issuer report, first and second paragraph?
First Paragraph: We have audited FS, … We have audited ICFR …
Second Paragraph: Opinion on FS, Opinion on ICFR
Does an auditor have an obligation to report that a previously identified material weakness has been eliminated? Is this a voluntary or required part of the engagement?
Only if management engages the auditor separately to attest to the improvements in IC. This is voluntary/
What is the auditor’s testing limited to when engaged to report only on material weaknesses that have been resolved?
Testing is limited to controls specifically identified by management.
How is a disclaimer of opinion on ICFR worded (nonissuer)? What change is made to the opinion paragraph?
- Beginning is changed to: “We were engaged to audit…”
- Because of the significance of the matter described in the Basis for Disclaimer of Opinion on ICFR, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion. Accordingly, we do not express an opinion on the effectiveness of ABC Company’s ICFR.
How is a disclaimer of opinion on ICFR worded (issuer)? What change is made to the opinion paragraph?
- Because of the limitation on the scope of our audit described in the next paragraph, the scope of our work was not sufficient to enable us to express, and we do not express an opinion on the effectiveness of ICFR.
- Beginning is changed to: “We were engaged to audit…”
If you issue a disclaimer of opinion, should you still describe any identified material weaknesses?
Yes.
What is unique about the timing of a disclaimer of opinion being issued?
The auditor can issue a report disclaiming an opinion as soon that they have the scope limitation. They do not have to wait for the report on the financials to disclaim an opinion.
The decision about whether to make reference to another auditor in the report on internal control is (dependent/independent) of the similar decision made with respect to the financial statement audit.
independent
What three types of engagements are attestation engagements?
- examination
- review
- agreed-upon procedures
What is the name of the attestation standards and what institution is it issued by?
Statements on Standards for Attestation Engagements (SSAE), by the AICPA
Are attestation standards broader or more limited in scope than GAAS?
Broader, a natural extension of GAAS.
Conceptually, how does SSAE differ from GAAS (2 ways)? Hint: No reference is made to …
- no reference to historical financial statements
- no reference to GAAP
Common concepts to all attestation engagements are represented through what mnemonic?
CAPE CORP
What does the first C stand for in CAPE CORP (attestation common concepts)?
compliance with all attestation standards relevant to the engagement
What does the A stand for in CAPE CORP (attestation common concepts)?
acceptance and continuance for client relationships
What does the first P stand for in CAPE CORP (attestation common concepts)?
preconditions for attestation engagement are present
What does the E stand for in CAPE CORP (attestation common concepts)?
engagement documentation standards (timeliness, retention, ownership, confidentiality)
What does the second C stand for in CAPE CORP (attestation common concepts)?
Change in terms of engagement, when applicable and reasonable
What does the O stand for in CAPE CORP (attestation common concepts)?
Other practitioner work can be used
What does the R stand for in CAPE CORP (attestation common concepts)?
responsibility for quality control (of the auditor)
What does the second P stand for in CAPE CORP (attestation common concepts)?
professional skepticism and professional judgement
Attestation risk is equal to the product of what three things?
Inherent Risk times Control Risk times Detection Risk
If scope is restricted in an examination engagement, what are the possible outcomes?
- qualified opinion
- disclaimer of opinion
- withdrawal
If scope is restricted in a review engagement (SSAE), what are the possible outcomes?
withdrawal ONLY
What are the two key types of examination engagements?
- Assertion-Based Examination
- Direct Examination
What are the two types of assertion-based examinations?
- Assertion Based Examination about a Subject Matter
- Assertion Based Examination about an Assertion
Is an auditor required to be independent in an examination?
Yes, because this is an attestation engagement.
Go and read summary of sample reports for examination and review engagements.
Is the inherent limitations section required or optional for an examination report? What about for a review report?
Optional for Examination, Required for Review
What is a direct examination?
The auditor independently gathers evidence without management’s assertion.
What is an assertion-based examination?
Auditor tests management’s assertions around the FS.
What are the sections of the Assertion-Based Examination Report on a Subject Matter?
- Title: Independent Accountant’s Report
- Introduction
- Scope
- Independence Requirements
- Inherent Limitations (optional)
- EoM (optional)
- Opinion
What is the wording for an unmodified opinion for an assertion-based examination report on a subject matter?
In our opinion … is presented in accordance with the [criteria] in all material respects …
What are the sections of the Assertion-Based Examination Report on an Assertion?
same sections as those for Assertion-Based Examination Report on Subject Matter
What is the wording for an unmodified opinion for an assertion-based examination report on an assertion?
In our opinion … management’s assertion that is presented in accordance with [criteria] in footnotes.
How does the scope paragraph differ from an assertion-based examination report on an assertion versus subject matter?
Assertion: Examination was conducted … AICPA … NET of procedures
Subject Matter: Examination was conducted … AICPA
What type of assurance does an examination provide? A review? Agreed upon procedures?
Examination: Reasonable Assurance (positive)
Review: Limited (negative)
Agreed-Upon Procedures: None
What result is presented for an examination engagement?
opinion
What result is presented for a review engagement?
conclusion
What result is presented for an agreed-upon procedures engagement?
list of findings
Who is the engaging party in an AUP engagement?
the client engaging the practitioner (CPA firm)
Who is the responsible party in an AUP engagement?
the party responsible for the subject matter
Who is responsible for assessing the sufficiency of procedures performed in an AUP engagement?
the client, not the CPA firm
What acronym tells you the conditions for an agreed-upon procedures engagement?
I AM SURE
What does the I stand for in I AM SURE (AUP engagement conditions)?
independence of the practitioner
What does the A stand for in I AM SURE (AUP engagement conditions)?
agreement of the parties to the procedures that will be performed (via engagement letter)
What does the M stand for in I AM SURE (AUP engagement conditions)?
measurability and consistency
What does the S stand for in I AM SURE (AUP engagement conditions)?
sufficiency of the procedures (client’s responsibility)
What does the U stand for in I AM SURE (AUP engagement conditions)?
use of the report can be general or restricted
What does the R stand for in I AM SURE (AUP engagement conditions)?
responsibility for subject matter belongs to the client (responsible party)
What does the E stand for in I AM SURE (AUP engagement conditions)?
engagements to perform agreed upon procedures on prospective financial statements
A procedures report should explicitly state that they did not conduct a …
examination or review, and therefore do not express an opinion or conclusion.
The (engaging party/responsible party) agrees and acknowledges that the procedures performed are appropriate to meet the purpose of the AUP engagement.
engaging party
What are prospective financial statements?
forward-looking financial statements, which may include a period that has partially expired (passed)
What is a partial presentation?
omit one of the essential elements of GAAP FS (sales, GP, unusual items, discontinued ops, net income, etc.)
Are partial presentations considered to be prospective financial statements?
No.
What are pro-forma financials?
financials of the past (historical) that have been altered to a “what-if” scenario
What is a common example of a pro-forma financial statement?
non-GAAP financials
Are pro-forma financials considered to be prospective financials?
No.
What are the two types of prospective financial statements?
- Financial Forecast
- Financial Projection
What is a financial forecast?
expected financial results in a future period, to the best of the entity’s knowledge
What is a financial projection?
financial position in the future based on a “what-if” scenario (hypothetical assumptions)
When is a statement suitable for general use?
used by parties not negotiating directly with the responsible party (issuing company)
When is a statement suitable for limited use?
- used by responsible party ONLY, or
- used by parties negotiating with the issuing company
What four engagements are related to prospective financials?
- preparation
- compilation
- examination
- agreed upon procedures
If these three things are excluded, a CPA firm cannot prepare the prospective financials?
- summary of significant assumptions
- identification of hypothetical assumptions
- description of limitations on usefulness of presentation
What happens in a compilation of prospective financials?
CPA firm is engaged to assemble financial data based on responsible party’s assumptions.
What responsibility does the auditor have in a compilation engagement?
Read the statements for obvious errors only.
What standards are used for preparation and compilation of prospective financial statements?
SSARS
What two things does an auditor express an opinion on in an examination of the prospective financial statements?
(1) whether statements are in conformity with AICPA guidelines and
(2) underlying assumptions provide reasonable basis for the prospective financials
What standards are used for examination of prospective financial statements?
SSAE
When are prospective financials limited use?
when they are projections, not forecasts
If AICPA presentation guidelines are not followed, what opinion is rendered in an examination of the prospective financials?
qualified or adverse
If significant assumptions are not disclosed, what opinion is rendered in an examination of the prospective financials?
adverse
If one or more of the significant assumptions do not provide a reasonable basis for the financial statements, what opinion is rendered in an examination of the prospective financials?
adverse
If there is a scope limitation, what opinion is rendered in an examination of the prospective financials?
disclaimer
What types of engagements are appropriate for pro-forma financials?
examination or review
Unlike in other engagements, what is referred to in a report for pro forma financials?
the historical financial statements that the information is derived from (and whether they were audited or reviewed)
The consistency assertion in an MD&A presentation addresses whether …
nonfinancial data has been accurately derived from related records.
Which standards address the auditor’s responsibilities when engaged to issue letters (commonly referred to as comfort letters) to a broker or dealer of securities?
SAS
Which standards are used when engaged to provide assurance on investment performance statistics prepared by an investment company on established criteria?
SSAE, because this is providing assurance on something other than historical financial statements.
T/F: When reporting on an assertion about the subject matter instead of reporting directly on the subject matter, the report must be restricted.
False.
When performing an assertion-based examination, the engaging party is not the responsible party, and a written assertion has not been provided, should the report be restricted?
Yes.
What is the general rule: when there is a change in engagement, should the report reference procedures that have been performed in the original engagement?
No, in general.
What is the exception to the rule that you should not reference procedures performed in an original engagement (when there is a change)?
when you perfom an agreed-upon procedures engagement, you are required to report on all procedures performed (even if part of prior engagement)
Does the term “fair presentation” appear in an agreed-upon procedure report?
No.
T/F: . An accountant performing an engagement to compile prospective financial statements should make inquiries about the accounting principles used in the preparation of the prospective financial statements.
True.
What is the date on the agreed-upon procedures report?
the date of completion of the agreed-upon procedures
Does an accountant need to reevaluate the entity’s internal control over financial reporting in an examination of pro forma financials?
No!
If no materiality threshold was established in the engagement letter, should an agreed-upon procedures report reference materiality?
No!
