Assessing Risk & Developing Planned Response (25-35%) Flashcards

Question

What are internal control objectives for receipt of cash?

Answer 1

- when cash/checks received, posted to a remittance log (listing of all cash receipts) - transaction is also posted in cash receipts journal and all cash receipts will be posted to that month's receipts in the general ledger - different EEs should open the mail, do accounting activities, prepare deposits of checks, and reconcile bank accounts - each cash receipt should be listed immediately when mail is opened (best is to use bank lockbox system) - ERs will bond EEs that handle cash receipts (insures company against loss from illegal acts by EEs) - lapping = when cash received from customer is stolen and shortage is hidden by crediting first customers account with cash received from a second customer - prevented by 2 different people receiving cash & posting payments received to AR ledger

Answer 2

- purchasing department makes purchases using pre-numbered purchase orders - AR department takes possession of deliveries - AP department handles accounting function & approves payments - only designated EEs able to make purchases for company - checks require dual signatures - both receipts and disbursements bank reconciliations should be prepared on a timely basis - all key documents pre-numbered and sequence should be accounted for - supporting documents such as invoices cancelled as paid as soon as they are paid

Answer 3

- EE timecards/timesheets taken and prepared/recorded in payroll journal (supervisor approval) - checks given to EEs & periods payroll is posted to GL - HR keeps records containing pay rates/personnel files - treasury issues checks, signs them & distributes them - payroll department calculates payroll & does record-keeping each period

Answer 4

- GENERAL controls (widespread/pervasive) | - APPLICATION controls (specific to)

Answer 5

- controls over data & network operations - software acquisition - access security - physical security of assets (access to records) - authorization to computer programs/data - file backup & disaster recovery plan

Answer 6

1) INPUT CONTROLS (meant to reduce mistakes when data is entered into system): - BATCH TOTALS (totals that actually mean something - total of cash received that day) - HASH TOTALS (totals with no dollar meaning, but can be used to check for mistakes - employee ID #s being added up) - RECORD COUNT (keeps track of # of records processed to determine that right # of records have been accounted for) 2) LOGIC CHECKS: - LIMIT TESTS (system would not accept 300 hours worked in one week) - VALIDITY CHECKS (limit certain input to only valid responses - phone number field: letters, no letters) - MISSING DATA CHECKS (input fields required & wont let user move on until required entered) 3) PROCESSING CHECKS: - CHECKPOINTS (for long processes - if process crashes, entire process does not have to be re-executed) - LIMIT ON PROCESSING TIME (if process takes longer than certain limit, process shuts down, assumes error occurred)

Answer 7

- GENERALIZED software (out of the box - general functions) - CUSTOMIZED software (program created to access/use - more expensive if developed for specific clients individually) - DATA MINING software (commercial - provides features for doing substantive analytics) * when client processes most of its data in electronic form, auditor considers using an 'EMBEDDED AUDIT MODULE' - computer program inserted into clients system which selects transactions for further review by auditor

Answer 8

- TEST DATA (put dummy transactions through clients system that contain known errors to see if system catches errors) - INTEGRATED TEST FACILITY (creating dummy division within clients system & running dummy data alongside clients real data) - PARALLEL SIMULATION (processing clients data on auditors software to compare between outputs) - TAGGING (tags a transaction in order to follow it through clients system)

Answer 9

SOC1: service organizations that handles financial information for clients SOC2: based on a framework to help service organizations demonstrate their cloud & data center security controls. report is based on Trust Services Criteria.

Answer 10

SACPIP - SECURITY (system/data to be protected against unauthorized access) - AVAILABILITY (system/date to be available for use/operation) - CONFIDENTIALITY (information designated as confidential to have appropriate protections) - PROCESSING INTEGRITY (system/data processing must be timely/accurate/authorized) - PRIVACY (any personal information collected to be used/retained/disclosed/disposed of appropriately)

Answer 11

outsourcing their payroll company (ADP) - auditor to gain understanding of services provided by service organization & the effect on client's internal controls

Answer 12

prepared by auditor - provide description of service organization's system and their internal controls #1 - - covers service organizations system & design of controls - report will include a disclaimer of opinion about operating effectiveness of controls #2 - - covers service organizations system, design of controls & operating effectiveness of controls - report provides higher level of assurance than #1

Answer 13

- CONTROL ENVIRONMENT CONSIDERED INEFFECTIVE - may require overall response by auditor - assigning more experienced staff to audit, using specialists, using more unpredictable audit procedures - SUBSTANTIVE PROCEDURES ALONE WOULD NOT YIELD APPROPRIATE AUDIT EVIDENCE - auditor to use combined approach & use tests of controls to test operating effectiveness of controls in addition to substantive tests - SIGNIFICANT CONCERNS ABOUT RMM (risk of material misstatement due to integrity of management or poor control environment) - may raise doubts about ability to audit FS - consider withdrawing * risk assessment can change as audit goes on

Answer 14

assessed level of RMM used to determine acceptable level of DR (detection risk) for FS assertions (RMM is highest in transactions that require significant judgement & lowest in routine transactions) then auditor uses acceptable level of DR to determine nature & extent of audit procedures to use significant transactions - will always be some substantive procedures performed as risks identified, auditor determines if relate to specific assertions or FS as a whole, then auditor identifies controls related to risks & specific assertions may not be able to gather sufficient audit evidence from substantive procedures alone & would need to do test of controls in addition

Answer 15

changes to substantive procedures: - increasing sample size - expanding substantive procedures - using independent parties for testing such as confirmations *general idea - when high risk of misstatement identified - effectiveness & reliability of substantive testing should be increased - more reliable forms of testing are used

Answer 16

materiality set for FS as a whole is a set amount can be calculated in different ways - common approaches: - 1 - 2% of total assets - 5 - 10% of net profit - 1% of equity *some firms have their own formulas/worksheets for determining materiality

Answer 17

amount lower than materiality for FS - set lower so that it lowers the risk of uncorrected misstatement + undetected misstatements can be set in different ways - simple or complex - 10% of materiality - 5% or a certain percentage of a transaction class/account balance *will always be a fraction of materiality

Answer 18

amount determined by auditor, that if an error or misstatement is found, where the difference from correct amount is below the TM, it will not impact the fair presentation of the FS

Answer 19

external auditor is considering using internal auditors to help with audit - COMPETENCE of internal auditors - OBJECTIVITY of internal auditors - internal auditors use of a systematic & disciplined approach if competent & objective - can be used to perform tests of internal controls & substantive tests final conclusions must be made by external auditor - cannot allow judgement from internal auditors on materiality of misstatements or evaluation of accounting estimates

Answer 20

COMPETENCE: (Cs and Es) obtain information about Educational background, professional Experience, and professional Certifications OBJECTIVITY: (Os) determine Organizational level to which internal auditors report

Answer 21

external auditor is considering using specialist to help with audit - expertise needed outside of accounting/auditing that is necessary for gathering appropriate & sufficient audit evidence - COMPTENENCE of specialist - OBJECTIVITY of specialist should be an agreement in writing that details what services will be performed, requirements of work needed, and any expected communications as a result of the specialist's work

Answer 22

component auditor's FS need to be prepared using same framework as the group, and needs to have performed their audit according to applicable standards auditor can decide to assume responsibility for component auditor's work - if they do, they will not reference their work in audit report at all - if they do not, they will name them in their audit report (must obtain permission to do so)

Answer 23

- irregular cash payments - sudden discontinued business segment - investigations by government agency - unauthorized transactions - unexplained payments to government employees

Answer 24

big area of attention for auditor - more complex the estimate, more room for material misstatement - evaluate whether reasonable in circumstances FV estimates not traded on an active market are complex estimates that can leave room for error

Answer 25

- determine whether management has applied rules of reporting framework correctly - been consistent in their methods for making estimates - evaluate management's assumptions used to make estimate - evaluate methods of measurement used to make estimate - perform tests of controls on controls used to make estimate, in addition to substantive testing

Answer 26

- inquiry of management or requesting a list of all related parties to entity - reviewing board minutes - inspecting large, unusual transactions (large note payable with a 1% interest rate) - reviewing confirmations on large balances

Answer 27

Audit Risk = risk that material errors or fraud exists IR (inherent risk) = certain items more susceptible to risk CR (control risk) = misstatement may not be prevented DR (detection risk) = material misstatement may not be detected AR = IR x CR x DR *IR and CR exist independently of audit

Answer 28

ACCOUNT BALANCES: - many transactions - small dollar amounts TRANSACTION CLASSES: - few transactions - large dollar amounts

Answer 29

CHOCO - collusion - human error - override by management - competence - obsolescence

Answer 30

SAP-OLS - Systems Analyst (design the system) - Programmer (develop code for system) - Operator (run system) - Librarian (keeps track of data for system) - Security (safeguards system)

Answer 31

- PARITY CHECK (transmission of information between system & hardware components) - ECHO CHECK (transmission of information over phone lines) - DIAGNOSTIC ROUTINES (checks internal operations of hardware components) - BOUNDARY PROTECTION (allows multiple jobs running simultaneously) - SOURCE CODE COMPARISON PROGRAM (tests for unauthorized program changes - compares compiled code to original program) - SECURE PASSWORD (8 characters, special characters, mixture of upper & lower case, unique, changed regularly) * one disadvantage - computer data files vs. manual data files - easier for unauthorized person to access & alter

Answer 32

evaluate effectiveness of design & operation of internal controls - inquiries - inspection - observation - walkthroughs - reperformance

Answer 33

detect material misstatements in transaction classes, account balances, and disclosure components of the FS - tests of details (more extensive) - substantive analytical procedures *can be dual purpose tests (tests of transactions & tests of controls)

Answer 34

1 - establish preliminary judgement about overall materiality 2 - allocate preliminary judgement about materiality to account balances or class of transactions 3 - estimate the aggregated misstatements & compare to materiality & tolerable misstatements

Answer 35

- quantitative base (total assets, revenues, income before taxes) * % of net income, revenue, assets (before taxes) or common = 3-5% of net income - qualitative base (1st year engagement, control weaknesses, management turnover, high market pressures, high fraud risk, abnormal bankruptcy risk) * when being more careful (1st year engagement), materiality would be lower

Answer 36

This is called tolerable misstatement or performance materiality helps the auditor evaluate if individual account balances are misstated (50-75% of overall)

Answer 37

``` aggregated misstatements (account level or FS level): - FACTUAL misstatements (amount of misstatements is known) ``` - JUDGEMENTAL misstatements (based on difference between auditor & management regarding accounting estimates) - PROJECTED misstatements (based on sample data) - misstatements CARRIED FORWARD from prior periods and affect future years (ex: inventory)

Answer 38

ACCOUNT LEVEL (done during fieldwork) - compare aggregated misstatements vs. tolerable misstatements/performance materiality if: AM < TM/PM (20K < 50K) - account fairly stated if: AM > TM/PM (70K > 50K) - account NOT fairly stated (tell management to adjust) ``` . FS LEVEL (done at very end of audit) - compare aggregated misstatements vs. materiality ``` if: AM < M (45K < 100K) - FS fairly stated if: AM > M (150K > 100K) - FS NOT fairly stated (tell management to adjust) *must adjust whole thing, not just adjust to make under materiality

Answer 39

AR ---------- = DR IR x CR IR^ > DR down > evidence^ (gather more evidence) CR^ > DR down > evidence^ (gather more evidence) *need to rely on self (auditor)

Answer 40

susceptibility of an assertion to MM (material misstatement), assuming no related internal controls - identified risks based on auditors understanding of entity & its environment, including any fraud risk factors - significant transactions/classes of transactions not processed systematically - nonroutine transactions (obsolete inventory) - significant estimates or judgements (bad debt exp) - highly complex significant transactions - application of new standards with significant effect - revenue recognition in certain industries or for certain types of transactions - significant industry-specific issues - history of misstatement

Answer 41

risk that material misstatement will not be prevented or detected on a timely basis by entity's internal controls can be any number of things that fall under the entity's internal controls - all pertaining to the 5 elements of control (CRIME) - control environment - entity's risk assessment procedures - control activities - information & communication - monitoring controls

Answer 42

risk that auditor will not detect a material misstatement that exists in the FS - sampling risk (sample does NOT represent the population) - non-sampling risk (auditor error - inappropriate audit procedure, misrepresentation of results)

Answer 43

any external or internal factors, pressures or forces that bear on the entity's ability to survive & be profitable - significant changes in entity (mergers, reorganizations) - significant changes in industry - significant new products/services/lines of business - new locations - significant changes in IT environment - operations in areas with unstable economies - high degree of complex regulation

Answer 44

- INQUIRIES of management & others - INSPECTION - OBSERVATION - ANALYTICAL PROCEDURES *identify high risk areas!

Answer 45

UNINTENTIAL MISSTATEMENTS or omissions of amounts/disclosures - mistakes in gathering/processing accounting data - unreasonable accounting estimates arising from oversight/misinterpretation of facts - client mistakes in application of accounting principles relating to amount/classification/manner of presentation/disclosure (ex: misapply FIFO, GAAP to depreciation exp)

Answer 46

INTENTIONAL MISSTATEMENTS MISAPPROPRIATION OF ASSETS - stealing assets - paying for goods/services not received - embezzling cash received FRAUDULENT FINANCIAL REPORTING - manipulation/falsification/alteration of accounting records/supporting documents - misrepresentation in or intentional omission from FS events/transactions/significant information - intentional misapplication of accounting principles relating to amount/classification/manner of presentation/disclosure

Answer 47

CRIME (17): ``` Control Activities (3) - CA.TP -control activities, technology, policies/procedures ``` Risk Assessment Procedures (4) - SAFR -specify, assess, fraud, risks Information & Communication (3) - OIE -obtain, internal, external Monitoring (2) - SO.D -ongoing/separate, deficiencies ``` Control Environment (5) - EBOCA -ethical, board, oversight/organizational, competence, accountability ```

Answer 48

Control Environment (5): EBOCA 1 - ETHICAL - organization demonstrates commitment to integrity & Ethical issues 2 - BOARD - BOD demonstrates independence & exercises oversight of development & performance of IC 3 - OVERSIGHT/ORGANIZATIONAL - management establishes with BOD Oversight, structures/reporting lines in pursuit of objectives 4 - COMPETENT - organization demonstrates commitment to attract/develop/retain Competent individuals in alignment with objectives 5 - ACCOUNTABLE - organization holds individuals Accountable for their IC responsibilities in pursuit of objectives

Answer 49

Risk Assessment Procedures (4): SAFR 6 - SPECIFY - organization Specifies objectives with sufficient clarity to enable identification & assessment of risks relating to objective 7 - RISKS - organization identifies Risks to achievement of its objectives across entity & analyzes risks as basis for determining how risks should be managed 8 - FRAUD - organization considers potential for Fraud in assessing risks to achievement of objectives 9 - ASSESS - organization identifies & Assesses changes that could significantly impact system of IC

Answer 50

Control Activities (3): CA.TP 10 - CONTROL ACTIVITIES - organization selects & develops Control Activities that contribute to mitigation of risks to achievement of objectives to acceptable levels 11 - TECHNOLOGY - organization selects & develops general control activities over Technology to support achievement of objectives 12 - POLICIES & PROCEDURES - organization deploys control activities through Policies that establish what is expected & Procedures to that put policies into action

Answer 51

Information & Communication (3): OIE 13 - OBTAIN - organization Obtains/generates & uses relevant/quality information to support functioning of IC 14 - INTERNAL - organization Internally communicates information including objectives & responsibilities for IC necessary to support functioning of IC 15 - EXTERNAL - organization communicates with External parties regarding matters affecting functioning of IC

Answer 52

Monitoring (2): SO.D 16 - SEPARATE or ONGOING - organization selects/develops/performs Ongoing and/or Separate evaluations to ascertain whether components of IC are present & functioning 17 - DEFICIENCIES - organization evaluates & communicates IC Deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management & BOD, as appropriate

Answer 53

- changes in operating environment - new personnel - new/revamped information system - rapid growth - new technology - new business models/products/activities - corporate restructurings - expanded international operations - new accounting pronouncements *a lot deal with change

Answer 54

PIPS-CAR - Performance reviews (independent checks) - Information processing controls, including authorization & document-based controls - Physical controls (assets/resources) - Segregation of duties (CAR): - Custody of assets - Authorization - Recording

Answer 55

- measure value of transactions properly (VALUATION) - identify & record all valid transactions (COMPLETENESS) - classify transactions properly (CLASSIFICATION) - record transactions in proper period (CUTOFF) - properly present transactions & disclosures (PRESENTATION) *relate to management assertions

Answer 56

- copies of entity's procedures manuals & organizational charts - narrative descriptions (memos) - internal control questionnaire - flowcharts

Answer 57

sets control risk at maximum level (100%) - operating as if do not have controls (not relying on controls) rely on substantive tests exclusively & extensively *private companies can choose either strategy

Answer 58

sets preliminary control risk less than maximum (92%, 63%, etc.) - relying on controls - if conclude, controls are effective, can proceed w/control risk being less than maximum - can get away w/less extensive substantive tests - if conclude, controls are ineffective, auditor can... 1) test other controls? 2) control risk will be set to maximum (100%) and proceed as if under substantive strategy reliance strategy is more work (have to test controls-up front costs), however, less of extensive tests (savings) *public companies must choose reliance strategy as SOX requires internal controls to be audited