A5N Flashcards
In an integrated audit of a nonissuer TOC’S
Testing controls over specific risks at business units that are material to the company’s consolidated financial statements.
Issuer audit both auditor & MNGMT report on IC
It is management’s responsibility to assess and report on internal control, but the auditor is also required to assess and report on internal control.
Auditor to accept an engagement to audit and report on a nonissuer’s internal control over financial reporting?
Management presents its written assessment about the effectiveness of internal control.
service auditor is unable to obtain a written assertion from the service organization’s management (PCAOB Audit) regarding its system and the suitability of the design and operating effectiveness of controls, it would be most appropriate for the auditor to:
Withdraw from the engagement unless prohibited by law.
Integrated Audit:
“top-down approach”
The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.
Example: Begin by understanding the overall risks to internal control over financial reporting at the financial statement level.
Integrated Audit:
effective way of understanding sources of potential misstatements.
Walkthroughs are frequently the most effective way of understanding sources of potential misstatements.
PQ you trace it from Initiation all the way to reporting
risk assessment process in an integrated audit of a nonissuer
Determining evidence necessary to conclude on the effectiveness of a given control.
Entity level controls (ELC’s)_
include controls related to the control environment, the risk assessment process, and the policies over risk management practices.
difference btwn scope, procedures, and purpose of tests of controls
issuer vs. non-issuer?
Scope = different
Procedures- different
Scope= different
ALL different
responsibility of the auditor with respect to significant deficiencies and material weaknesses in an audit of an issuer
In an audit of an issuer, the auditor is required to communicate both significant deficiencies and material weaknesses to management and the audit committee, but only material weaknesses result in an adverse opinion on the effectiveness of internal control
OJO If an auditor performing an integrated audit identifies one or more material weaknesses in a nonissuer’s internal control, the auditor should express an adverse opinion on the entity’s internal control.
Auditor to TCWG
The auditor is not required to communicate all control deficiencies to those charged in governance.
However, control deficiencies that are determined to be significant deficiencies and material weaknesses are required to be communicated to those charged with governance.
Timing in communicating weaknesses
An auditor is required to communicate material weaknesses prior to the issuance of the auditor’s report on internal control over financial reporting.
auditor’s responsibility to communicate material weaknesses in internal control over financial reporting
An auditor is not required to communicate material weaknesses to all stockholders.
Summary of communicating weaknesses
The auditor is required to communicate all deficiencies in internal control to management, and deficiencies that constitute a significant deficiency or a material weakness to management and the audit committee.
In an integrated audit of a nonissuer, an auditor should issue an adverse opinion on the effectiveness of an entity’s internal control in which of the following situations?
A material weakness exists.
Issuers integrated Audit:
auditor identifies a material weakness during the audit of management’s assessment of the effectiveness of internal control over financial reporting. Which of the following is correct?
The company’s internal control over financial reporting cannot be considered effective.
The presence of a material weakness in internal control results in an adverse opinion on the effectiveness of internal control over financial reporting
Statements on Standards for Attestation Engagements (SSAE) example
> Review management’s discussion and analysis (MD&A) prepared pursuant to rules and regulations adopted by the SEC.
> Review of pro forma financial information
> Examining future financial statements constitutes an examination of prospective financial statements
> management’s assertion that the square footage of a warehouse offered for sale
Negative assurance expressed when an accountant is requested to report on the
report on the results of performing a review of management’s assertion.
The requirement that the CPA be independent is included in both
GAAS (generally accepted auditing standards)
&
SSAE (Statements on Standards for Attestation Engagements)
compilations of prospective financial statements are governed by Statements on Standards for Accounting and Review Services (SSARS).
compilations of prospective financial statements are governed by Statements on Standards for Accounting and Review Services (SSARS).
Statements on Standards for Attestation Engagements DO NOT address services involving advocating for a client, such as testifying as an expert witness.
Statements on Standards for Attestation Engagements do not address services involving advocating for a client, such as testifying as an expert witness.
MD&A presentation
nonfinancial data has been accurately derived from related records.
LIMITATIONS OF Attest engagements covered under Statements on Standards for Attestation Engagements (SSAE)
Attest engagements covered under Statements on Standards for Attestation Engagements (SSAE) specifically exclude services performed in accordance with Statements on Standards for Accounting and Review Services (SSARS).
Statements on Standards for Attestation Engagements (SSAE) provide:
a framework for the attest function beyond historical financial statements.
A practitioner reporting on pro forma does not possess an understanding of the client’s business and the industry in which the client operates. The practitioner should take which of the following actions?
Review industry trade journals.
reporting on internal control when performing an integrated audit of a nonissuer
Whether or not a material weakness exists, the auditor must express an opinion directly on the effectiveness of internal control, and not on management’s assessment.
SOC 1® vs SOC 2®
A SOC 1® report is a report on the internal controls over financial reporting at a service organization and a SOC 2® report is a report on internal controls related to one or more of the Trust Services Criteria.
SOC REPORT
Information regarding the service organization’s system for calculating accounts receivable balances is relevant for gathering data on the service organization’s internal controls.
soc 1 report type 1 vs type 2
TYPE 1: Provides more general (not detailed) info ONLY design and implementation
TYPE 2: Provides a more in-depth analysis (security, availability, processing integrity, confidentiality, and privacy.)
SOC 1® Type 1
should include management’s description of the service organization’s system.
soc auditor should include in their report:
his or her report a description of the scope and nature of the procedures performed.
Type 2 (SOC 1 & SOC 2 ) tests for operating effectiveness of controls
Both a SOC 1® and SOC 2® report can include the tests of operating effectiveness of controls if a Type 2 report is issued. Type 1 reports of both SOC 1® and SOC 2® reports only include testing of the design and implementation of controls and do not include testing of the operating effectiveness.
Requirement for accepting an attestation engagement to report on the controls at a service
The service auditor has the competence and capability to perform the engagement.
user auditor (CPA performing Financail Audit) can inquire about the competence of the service auditor (CPA performing SOC report)
YES, In considering whether the service auditor’s report is satisfactory for the user auditor; the user auditor should make inquiries concerning the service auditor’s competence.
if an auditor is asked to issue a report on a client’s compliance with contractual agreements or regulatory requirements in connection with a financial statement audit,
The auditor must have audited the client’s financial statements and may only issue negative assurance on compliance.
Negative assurance =
Non an OPINION
f the auditor issues a report on compliance with contractual agreements in connection with the audit of financial statements, the report should include
a reference to the specific covenants of the contractual agreements. This is required in cases of compliance or noncompliance.
When an auditor reports on a nonissuer’s compliance with aspects of contractual agreements in a report separate from the audit report on the financial statements, the report should include a statement that:
The report is being provided in connection with the audit of the financial statements.
Como es separado entonces the auditor needs to mention tha the report is being provided in connection
Examination has an OPINION
The purpose of examination procedures applied to compliance requirements is for the practitioner to accumulate sufficient evidence regarding an entity’s compliance with specified requirements to allow for the practitioner to issue an opinion with reasonable assurance.
Standers that rule Examination are the Compliance attestation standards.
EXAMINATION = ATTESTATION
Compliance attestation standards apply for an examination of a client’s compliance with specified requirements, such as debt covenants associated with a bank loan. In addition, examination engagements fall under attestation standards.
Examination/attestation should assess control risk & Practitioner MUST be Independent
he auditor should assess attestation risk, which is composed of control risk, inherent risk, and detection risk. Fo
Single Audits= expenditures of Federal awards (del gobierno)
The auditor is to determine whether the federal financial assistance has been administered in accordance with applicable laws and regulations.
2 CFR 200 single audit
Performance of additional procedures to test and report on compliance with laws, rules, regulations and provisions of contracts or grant agreements that have a direct and material effect on major federal award programs.
In addition RISK BASED APPROACH is allowed to determine Major Grants
In addition, materiality is determined separately for each major federal financial assistance program.
Auditors engaged to perform audits of federal financial assistance (generally under the provisions of the Single Audit Act) must perform procedures to :
obtain an understanding of internal control pertaining to compliance, and should document this understanding of internal control.
Single Audits don’t provide “reasonable assurance” - they provide “ COMPLIANCE (w/FED Regulations)
One of the objectives of single audits is to audit the compliance of federal awards expended during the year as a basis for issuing additional reports on compliance related to major programs.
How does Title 2 of the Code of Federal Regulations (containing single audit requirements) define a subrecipient?
As a nonfederal entity that expends federal awards received from another entity to carry out a federal program.
Single Audit: If material instances of noncompliance are identified, the auditor should express
either a qualified or adverse opinion on compliance
financial statement audits in accordance with Government Auditing Standards report should say…
An auditor should report on the scope of the auditor’s testing of internal controls.
They are not expressing an opinion on IC they just need to REPORT the testing of IC
GAGAS (Generally Accepted Government Auditing Standards) Apply to both
> audits of federal financial assistance and
government organizations
GAGAS terms to describe a professional requirement to comply with a standard or provide a special explanation for not doing so
Presumptively mandatory requirement
GAGAS (Generally Accepted Government Auditing Standards yellow book) audit has greater reporting responsibilities than accepted under a GAAS (Generally Accepted Auditing Standards) b/c…?
Auditor Accepts greater reporting responsibilities than accepted under a GAAS audit, since the auditor must report on compliance with laws, rules, and regulations, violations of which may affect financial statement amounts, and on the organization’s internal control over financial reporting.
Government Audit Standards define three types of engagements:
> financial audits
attest engagements
performance audits.
Government Auditing Standards (the Yellow Book), report contains/discloses
The scope of the auditor’s testing of internal controls.
Government Auditing Standards (the Yellow Book), report DO NOT contain:
A concurrent opinion on the financial statements taken as a whole
Government Auditing Standards require
auditor issue a written report on Understanding of internal control and assessment of control risk.
Government Auditing Standards require
Present the results of the auditor’s tests of controls.
=scope of the auditor’s testing of compliance with laws and regulations and internal control over financial reporting, and present the results of those tests.
Government Auditing Standards in some circumstances
require AUFDITORS to report fraud and illegal acts directly to parties external to the audited entity.
GAGAS, INFO excluded —>
Disclose in the report that certain information has been omitted and the reasons that make the omission necessary.
Government Auditing Standards report includes:
A disclaimer of opinion on internal control over compliance.
The audit opinion states that the audit was conducted in order to express an opinion on compliance but not for the purpose of expressing an opinion on the effectiveness of internal control over compliance.
GAGAS require a written report on the auditor’s understanding of internal control. The auditor should report all significant deficiencies and material weaknesses in internal control.
Report as findings both the significant deficiencies and the material weaknesses.
