A5, M5-M8 Flashcards
Service organization’s controls are considered to be part of the user entity’s ____ ____ when …
information system; they affect the reporting of transactions
A service organization usually has what type of engagement performed in order to provide that report to all their user entities?
examination engagement
What are the two types of examination engagements that can be performed on a service entity (names only)?
SOC 1, SOC 2
SOC 1 and SOC 2 reports can further be broken out into what types (names only)?
Type 1 and Type 2
What does a SOC 1 report look at?
entity’s system of ICFR
What does a SOC 2 report look at?
Trust Services Criteria (security, confidentiality, etc.)
“ABC Firm audits Party Solutions. Party Solutions uses Quick Payroll to process its payroll transactions. XYZ Firm audits Quick Payroll.” Identify the user entity.
Party Solutions
“ABC Firm audits Party Solutions. Party Solutions uses Quick Payroll to process its payroll transactions. XYZ Firm audits Quick Payroll.” Identify the user auditor.
ABC Firm
“ABC Firm audits Party Solutions. Party Solutions uses Quick Payroll to process its payroll transactions. XYZ Firm audits Quick Payroll.” Identify the service organization.
Quick Payroll
“ABC Firm audits Party Solutions. Party Solutions uses Quick Payroll to process its payroll transactions. XYZ Firm audits Quick Payroll.” Identify the service auditor.
XYZ Firm
What does a Type 1 report do (2)?
- report on design and implementation
- as of a specified date
What does a Type 2 report do (2)?
- report on design, implementation, and operating effectiveness
- over a given period
What are the two key objectives of the service auditor?
- obtain reasonable assurance about (1) whether managment’s description of system fairly presents design and implmenentation, (2) controls are designed, implemented, and (3) operating effectively
- report in accordance with findings
Who is the intended user(s) of a SOC 1 report?
user entity, user auditor, management of service organization
Who is the intended user(s) of a SOC 2 report?
broad range of users
Since the SOC 2 is for a “broad range of users,” can it be issued publicly?
No, it is still a restricted use report.
What is the title for a Type 1 Report?
Independent Service Auditor’s Report on XYZ Service Organization’s Description of Its System and the Suitability of the Design of Controls
What is the title for a Type 2 report?
Independent Service Auditor’s Report on XYZ Service Organization’s Description of Its System and the Suitability of the Design and Operating Effectiveness of Controls
Who is the addressee in the Type 1 and Type 2 reports?
the service organization
What are the headings/sections in a Type 1 report?
Title
Addressee: Service Organization
Scope
Service Organization’s Responsibilities
Service Auditor’s Responsibilities
Inherent Limitations
Other Matter
Opinion
Restricted Use
Signature, Address, Date
What is the only difference in the headings for a Type 2 report?
Other Matter -> Description of Tests of Controls
What does the Other Matter heading mention in a Type 1 report?
We did not assess operating effectiveness and do not express an opinion on OE.
What does the Description of Tests of Controls mention in a Type 2 report?
The specific controls tested and the nature, timing, and results of those tests are listed in [section where list is presented].
What two things does a service auditor provide an opinion on in a Type 1 report?
- management description is fairly presented
- controls suitably designed
What three things does a service auditor provide an opinion on in a Type 2 report?
- management description is fairly presented
- controls suitably designed
- controls operating effectively
What three documents are included in a Type 1 report?
- management’s description of system
- written assertion by management that description is fairly presented and controls suitably designed
- auditor’s opinion on management’s assertion
What four documents are included in a Type 2 report?
- management’s description of system
- written assertion by management that description is fairly presented and controls suitably designed and OE
- auditor’s opinion on management’s assertion
- description of auditor’s tests of controls and results
Are parties that the Type 1 and Type 2 reports are restricted to different or the same?
the same
What two things should the user auditor understand when a service organization is used?
- nature and significance of services provided, AND
- effect on user entity’s system of IC
Does a SOC 1 Type 1 report provide the user auditor with a basis for reducing control risk below maximum for areas of IC affected by the service organization?
No, because only one point in time and no assessment of OE.
How does a SOC 1 Type 1 report help the user auditor?
obtain an understanding of controls
Does a SOC 1 Type 2 report provide the user auditor with a basis for reducing control risk below maximum for areas of IC affected by the service organization?
Yes.
If the SOC 1 Type 2 report is not available to allow reduction in assessed risk, what alternative procedures can the user auditor perform (2)?
- test user organiztaion’s control over the service organization’s activities, OR
- perfom test of controls AT the service organization
If a user auditor does use the SOC 1, Type 2 report, what does the user auditor need to check first (5)?
- service auditor’s competence and independence
- adequate standards
- appropriate time period
- complementary controls
- test of controls relevant and provide sufficient appropriate audit evidence
If the user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organization relevant to the audit, what opinion(s) should be issued?
qualified or disclaimer (audit issue)
If the opinion is unmodified, should the user auditor reference the service auditor?
No.
When can the service auditor be referenced in a report by the user auditor?
to explain a modification of the user auditor’s opinion
A user auditor evaluates whether the service auditor’s report on controls provides sufficient appropriate evidence to support an opinion on internal controls over financial reporting by assessing … (2 things)
- results of the tests of controls
- the service auditor’s opinion on the operating effectiveness of the controls
To understand the independence and competence of the service auditor, the user auditor usually does what?
perform inquiries
Does the user auditor perform a background check on the service auditor?
No.
When is a description of controls usually provided to an auditor, in relation to signing the engagement letter?
after signing the engagement letter
Is materiality determined by the service auditor’s report?
No, it is determined by the needs of the FS users.
What is compliance reporting?
providing reasonable assurance that MM would be detected (IC) resulting from noncompliance
If a compliance report is in connection with audited financial statements, what 3 conditions need to be met?
- auditor audited client’s FS
- auditor may only issue negative assurance on compliance
- engagement is neither a compliance audit nor an attestation engagement
What is negative assurance?
a statement that you did not find anything wrong (but that does not mean there could be things wrong)
What does negative assurance look like for a compliance report in connection with an audit of FS?
Auditor found no evidence that entity failed to comply with their contractual or regulatory requirements.
When can negative assurance be given (3 AND criteria)?
- no noncompliance was identified,
- unmodified or qualified opinion on FS, AND
- applicable requirements have been subjected to audit procedures in the FS audit
How can the report on compliance be presented (2 ways)?
- may be a separate report OR
- provide report in 1+ paragraphs in the auditor’s report
What are the three potential subject matters related to compliance engagements (names only)?
- Compliance with Specified Requirements
- Internal Control Over Compliance
- Both 1 and 2
What are the two types of attestation engagements that can be performed for compliance?
Agreed Upon Procedures, Examination
What 3 conditions must be met to perform an AUP engagement for compliance (any of the three types)?
- Responsible party accepts responsibility for compliance and IC over compliance, AND
- Responsible party evaluates compliance and IC over complaince, AND
- Management is responsible for compliance and evaluation of compliance.
What 3 conditions must be met to perform an examination engagement for compliance (any of the three types)?
- Responsible party accepts responsibility for compliance and IC over compliance, AND
- Responsible party evaluates compliance and IC over compliance, AND
- Sufficient evidential matter exists or could be developed to support management’s evaluation
What should a practitioner do in relation to compliance examination (like the audit process)?
- Perform a risk assessment
- Design responses to the risk assessment (procedures)
- Determine if supplementary audit requirements exist
- Obtain written representations from management
- Prepare reports
- Prepare required documentation
Are there materiality levels in an examination?
Yes.
What 6 representations does management make in a compliance engagement?
- responsibility for complying with requirements
- responsible for IC over compliance
- performed evaluation of compliance and/or IC over compliance
- disclosed to the practitioner all known noncompliance (even subsequent)
- provided all documentation to the auditor
- interpretation of anything with varying interpretations
What is the calculation for audit risk of noncompliance?
risk of material noncompliance (like RMM, IR times CR) times detection risk
What is inherent risk in the context of noncompliance?
susceptibility of a compliance requirement to noncompliance that could be material, assuming there are no controls
What is control risk in the context of noncompliance?
risk that material noncompliance will not be prevented or detected and corrected on a timely basis by internal control
What is GAGAS (generally accepted government auditing standards) usually referred to as?
Yellow Book
GAGAS contains standards for audits of what two groups?
- government organizations, programs, activities, and functions
- government assistance received by contractors, NFPs, and other non-governmental organizations
A governmental audit can be performed for what two types of financial statements?
- GAAP financials
- OCBOA financials (special purpose frameworks)
What three attestation engagements can be performed according to the governmental standards (Yellow Book)?
- examination
- review
- agreed upon procedures
What are performance audits?
provide objective analysis, findings, and conclusions to assist management in decision-making and improving performance
What are the four key categories of a performance audit?
- Effectiveness, Economy, and Efficiency
- Internal Control
- Prospective Analysis
- Compliance
What special thing does the auditor want to determine/ensure in a governmental audit?
There was compliance with financial obligations, and funds were used for designated purposes.
Who publishes Generally Accepted Government Auditing Standards (GAGAS)?
the Governmental Accountability Office (GAO)
Audits in accordance with GAGAS require additional attention on what three categories?
- fraud
- noncompliance
- abuse
What is abuse?
deficient or improper behavior, including misusing your authority for personal gain
Is the auditor required to detect abuse?
No, because abuse is subjective. However, the auditor must perform further testing if they discover abuse.
Who should the auditor communicate with in a governmental audit?
- individuals contracting for/requesting the audit, AND
- cognizant legislative committees
What is the difference between reporting on ICFR in a governmental audit (GAGAS) v. AICPA/PCAOB standards?
GAGAS: No opinion expressed on IC and compliance but you should describe the scope of auditor testing and findings.
AICPA: Opinion on IC (reasonable assurance)
If separate reports are issued for the internal control and compliance aspect of a governmental audit, what should the report on the FS include?
reference to the existence of the separate report
What types of deficiencies in IC should be communicated in a governmental audit?
significant deficiencies and material weaknesses
Who should material findings of noncompliance be reported to?
the “board” like members
Management responses to the findings of the auditor (governmental audit) should be included where (2 options)?
on the report of IC and complaince OR in a separately presented schedule of findings
Can management responses to the findings of the auditor be oral? Are these included in the auditor’s report?
Yes can be oral, but then the auditor should document it and confirm with management.
Cannot be included in the auditor’s report.
Can management responses to the findings of the auditor be written? Are these included in the auditor’s report?
Yes, and included in the auditor’s report.
When may an auditor issue a report without management responses (2)? What additional disclosure must be made?
- Audited entity refuses to make comments, or is unable to make comments.
- Disclose: Entity did NOT provide comments.
If an audit report excludes confidential or sensitive information, what should the report state?
That is omitting information and the reason for the ommission.
Who are audit reports distributed to in a governmental audit (5)?
- those charged with governance
- officials of the entity
- oversight bodies
- entities responsible for acting on audit findings/ recommendations
- all those authorized to receive audit reports
Internal audit organizations in governmental entities must follow which standards?
Institute of Internal Auditors (IIA) International Standards
In what two situations are deficiencies reported early (before the audit report date)?
(1) urgency of findings require faster corrective actions/follow-up
(2) ongoing noncompliance undetected by management should be stopped immediately
What should be included in management’s representations in GAGAS audit?
- no violations or possible violations of laws/regulations
- responsible for entity’s compliance with laws and regulations
- identified and disclosed in writing to the auditor all laws and regulations that have a direct and material effect on the FS
What is a major difference relating to internal control between governmental auditing standards and GAAS?
Governmental audits require a written report on internal controls to be prepared.
What is the title of the auditor’s GAGAS report?
Independent Auditor’s Report
What is included in the content of a written report on internal control (GAGAS), 3 things?
- assertion that evaluating compliance with laws that have a direct and material effect on FS is part of developing an opinion on FS
- assertion that specific controls relating to financial reporting are considered
- indication that no weaknesses were found, or that significant deficiencies were found (and an indication of whether they were material).
What is different about the standards mentioned in a governmental audit report?
both GAAS and GAGAS are mentioned
What is the content (headings) in a GAGAS report on internal control and compliance?
- Appropriate Addressee
- Intro Paragraph (not labeled)
- Internal Control Over Financial Reporting
- Compliance and Other Matters
- Purpose of this Report
- Signature, Address, Date of Report
What is in the intro paragraph of a GAGAS report on IC and compliance?
- We have audited …
- in accordance with GAAS and GAGAS
- [financial statements], [date], [date of report]
What is in the ICFR paragraph in the GAGAS report on IC and compliance?
-Considered ICFR to plan and perform …
- not expressing an opinion on the effectiveness of IC
- Define deficiency, material weakness, and significant deficiency.
- Not identifying all deficiciecies
- List the decificiencies identified, note if there were no material deficiencies.
What is in the Compliance and Other Matters paragraph in the GAGAS report on IC and compliance?
part of obtaining reasonable assurance about MM
test of compliance where noncompliance could have direct and material effect on FS
Not providing an opinion on compliance
No instances of noncompliance noted.
What is included in the Purpose of This Report paragraph in GAGAS report on IC and compliance?
describe scope of our testing of IC and compliance and results of testing
not providing opinion on effectiveness of IC or compliance
integral part of the audit performed with GAGAS
not suitable for another purpose
What is the Single Audit Act designed to do (2)?
- improve the effectiveness of audits of federal awards
- reduce burden of federal audit requirements for recipients of federal financial assistance
Entities subject to the Single Audit Act can be categorized into what two categories?
- Type A
- Type B
What are Type A entities?
receives AND expends federal assistance of equal to or greater than $750K
What are Type B entities?
receives AND expends federal assistance of less than $750K
The Single Audit Act allows for what two types of audits?
- single audit OR
- program-specific audit
Who does a program specific audit apply to (2 criteria)?
- awards are expended under a single federal program
- no FS audit required
What are the two main objectives of a single audit?
- audit of entity FS and reporting on separate schedule of of expenditures of federal awards (how the $ was used)
- compliance audit of federal awards expended
Single Audit includes a separate evaluation of materiality for each ____ ____ selected.
major program
What are considered major programs (2 options)?
- Type A (expend >= $750K)
- Type B that is classified as “high risk”
What standards does the auditor need to follow in a program-specific audit (2)?
- GAGAS, and
- program-specific audit guide from Inspector General
What if a program specific audit guide is not available?
The auditor has the same responsibilities as in a Single Audit.
Audit requirements of single audits apply to what three groups?
- Recipients of Federal Financial Assistance
- Subrecipients of Federal Financial Assistance
- Contractors
T/F: An auditor for a single audit can be selected by only considering one firm or providing preference to local firms.
False, this criteria is not acceptable.
Consultants engaged to develop indirect cost plans may not be engaged as the auditor when indirect costs recovered by the auditee in the prior year exceeded ______.
$1M
The audit report in a single audit must be submitted on the earlier of what two dates?
- 30 days after the receipt of the auditor’s report, OR
- 9 months after the end of the audit period
How long do reports need to be retained from the date of submission (single audit)?
three years
Are copies of the report in a single audit available for public inspection?
Yes, unless restricted.
The report (single audit) must be transmitted using a ____ ___ ___ that follows a specific data set required by the ____ _____ __ __ ____.
Data Collection Form, Office of Management and Budger (OMB)
The overall reporting package of a single audit client contains what four things?
- FS
- summary schedule of prior audit findings
- auditor’s reports
- corrective action plans
In a single audit, what two sources are used for internal control guidance?
- U.S. Office of Comptroller General
- COSO
Is understanding of internal control over compliance and compliance testing required for nonmajor federal programs?
No, only for major programs.
If controls are deemed effective, what should the single auditor do?
test further to support a low assessed level of control risk
If controls are deemed ineffective, what should the single auditor do?
report them, no need to test further
Is an opinion on compliance provided in a single audit?
Yes, for each major program.
What is the objective of an engagement to form an opinion on compliance?
obtain reasonable assurance that the auditee complied, in all material respects, with compliance requirements
What is included in Uniform Guidance for single audits (3)?
- administrative requirements
- cost principles
- compliance supplement with required audit procedures in a matrix of compliance requirements
Administrative requirements in Uniform Guidelines deal with the federal regulations associated with …
all phases in the grant life cycle (from beginning to end)
Cost principles in Uniform Guidelines define costs that are either …
generally unallowable or generally allowable
What are the basic criteria for a cost to be allowable (2)?
- reasonable and necessary
- properly allocated to the federally funded program
Are these costs generally allowable or unallowable to be paid from federal assistance: compensation, equipment, direct costs, insurance, indemnification?
allowable
Are these costs generally allowable or unallowable to be paid from federal assistance: organization costs, entertainment costs, fines, penalties, damages, other settlements?
Unallowable, have to be paid from other sources.
What responsibility does the current year auditor have for previous audit findings in a single audit?
- follow up on audit findings from previous audits
- perform procedures to assess reasonableness of the summary schedule of prior audit findings prepared by the auditee
What five reports/opinions are produced in a single audit?
- FS Report: Opinion on fair presentation of FS in accordance with GAAP
- SEFA Report: Opinion on fair presentation of Schedule of Expenditures of Federal Awards in relation to the FS
- Report on ICFR and Compliance (scope of testing, results of tests)
- Single Audit Act Report: Report on Compliance and IC over Compliance (scope of testing of IC, opinion on compliance)
- Schedule of Findings and Questioned Costs
What is specifically referenced in the report on ICFR and compliance in a single audit?
separate Schedule of Findings and Questioned Costs
The auditor must report question costs of a given type of compliance requirement that exceed _____.
$25,000
Does an auditor have a duty to report likely fraud (not proven)?
Yes, if it is deemed likely and material.
What is the four-step process used to determine “major programs”?
- Identify Type A and Type B, based on $750K cutoff.
- Identify Type A programs that are low risk.
- Identify Type B programs that are high risk.
- Major programs include all Type A that are NOT low risk and all Type B that are high risk, at minimum.
When is a Type A program considered low risk (2 criteria)?
- no risk factors
- have been audited as a major program in at least one of the two most recent audit periods
When can a Type A program NOT be considered low risk (3 or)?
- material weakness in IC
- modified opinion on program
- known or likely questioned costs that are >5% of total awards expended
For low-risk auditees, what % of total federal awards expended MUST the auditor test?
20%
For high-risk auditees, what % of total federal awards expended MUST the auditor test?
40%
Being in the early phase of a program’s life cycle (increases/decreases) inherent risk.
Increases.
Is negative assurance the same as expressing an opinion?
No.
Should an auditor’s report on compliance in connection with an audit of FS indicate that instances of noncompliance have been disclosed to those charged with governance?
No.
Specific findings are presented when an _______ engagement is performed and not when an _____ is performed.
AUP, examination
Management’s proactive efforts to timely and effectively address compliance findings in audits (is explicitly stated/presumed).
is presumed.
T/F: Materiality must always be documented in monetary terms in a compliance audit.
False, it may not always be quantifiable.
What is the first and second thing the auditor should do after they suspect fraud/noncompliance?
- Further procedures.
- Communicate with appropriate level.
In a performance audit, is a concurrent opinion on the financial statements taken as a whole required?
No!
Per Government Auditing Standards, audit documentation should contain sufficient information so that supplementary ____ ____ are not required.
oral explanations
The audit documentation (does/does not) need to say that all instances of material fraud may not be detected.
does not
T/F: The GAGAS auditor should obtain written representations from management acknowledging responsibility for correcting instances of fraud, abuse, and waste.
False, the auditor only needs a representation that management will take corrective action on findings in a compliance audit.
A compliance report (should/should not) state that compliance audit provides a legal determination of the entity’s compliance.
should not
The cognizant agency for a single audit is the federal agency that…
provides the most direct funding to a non-federal entity.
T/F: The representation letter in a governmental audit should include a statement that management has disclosed all material governmental programs to the auditor.
False, they have to disclose all, not just the material ones.
The reporting standard under GAGAS (change/augment) the GAAS standards associated with reports on audited financial statements.
augment
What two scenarios create a need for external reporting of noncompliance by the auditor in a governmental audit?
- management is unwilling to take corrective action, OR
- a specific requirement by the grantor that discovery of noncompliance is reported
T/F: The audit opinion (governmental audit) states that the audit was conducted in order to express an opinion on compliance but not for the purpose of expressing an opinion on the effectiveness of internal control over compliance.
True.
When reporting under Government Auditing Standards, the auditor should consider whether any noted deficiencies in such internal controls should be reported to ___ ___ and ___ ___.
specific legislative and regulatory bodies
If the audit committee refuses to communicate fraud to the contracting party, under GAGAS, the auditor has a responsibility to report the fraud to …
the counterparty to the contract
T/F: GAGAS prescribe additional standards related to both the direct reporting of illegal acts and reporting on internal controls.
True.
A single audit represents a combined audit of both …
(1) entity’s financial statements and
(2) federal financial assistance programs
In a single audit, assurance in the form of an opinion is provided on the compliance (requirements/tests) for major programs.
requirements, not tests
