Assessing Risk & Developing Planned Response (25-35%) Flashcards
What should the auditor do when developing an overall audit strategy?
- identify characteristics of audit that define its scope
- assess reporting objectives in order to plan timing of audit and nature of communications required
- decide what factors are significant in directing audit team
- analyze results of preliminary procedures
- assess nature, timing, and extent of resources necessary to perform engagement
What does developing a detailed engagement plan involve?
- obtaining understanding of entity & its environment
- doing a risk assessment
- if applicable, done while comparing & contrasting to PY’s engagement
point of audit planning is to plan the audit so that it will be performed effectively
engagement partner and other key members of audit team should be the ones involved in planning
What are the preliminary engagement activities?
- evaluate any QC (quality control) issues that could affect client acceptance
- evaluate any potential independence issues
- determine if audit will require work of a specialist
- audit documentation, including:
- overall audit strategy
- audit programs
- any major changes made to overall strategy/audit programs during audit, and reasons for such changes
What is materiality?
an amount that if missing or misstated on the FS, would likely lead to a reasonable person to be influenced to make a different decision than if the amount had been corrected
big enough to matter
- should be documented at FS level
- should document any revisions during audit
- for specific transactions or for account balances
What is audit risk?
risk or probability that auditor expresses clean opinion when there is actually a material misstatement in FS
reasonable assurance is a high level of assurance, which in turn provides a low level of audit risk
What are the 3 elements of the Audit Risk Model?
- IR (inherent risk)
- CR (control risk)
- DR (detection risk)
Audit Risk = IR x CR x DR
auditor assess inherent risk and control risk because it affects the level of detection risk that auditor can accept
*IR x CR = RMM (risk of material misstatement) - assessed by auditor
What are Analytical Procedures and what are 3 ways they are used?
evaluations of financial information based on relationships among both financial data and non-financial data
can involve trends, comparing CY to PY, ratios, etc.
analytics used in 3 ways:
- in planning stage for risk assessment (required)
- as substantive procedure (not required)
- as a final review (required)
How does fraud play a role in auditing?
an audit provides reasonable assurance that fraud will be detected - may not be able to detect
professional skepticism - have a questioning mind and a critical assessment of audit evidence - do not assume fraud is happening, but question assertions made by management
What are the types of fraud?
- fraudulent reporting
- pressure to meet expectations or requirements (earnings projections, debt covenants, financing agreements)
- misappropriation of assets
- pressure on EEs such as personal financial problems
- low EE morale or attitude of the company owes me or I am underpaid
- if assets are easy to access, such as EEs that have access to cash
What is involved in Management Override of Internal Controls?
is one of the biggest risk factors for fraud
examples:
- pushing through a transaction that does not have a real business purpose
- unauthorized journal entry
- putting pressure on an EE to make JE they would not normally make
procedures would include:
- examining AJEs
- especially JEs close to beg & end of reporting periods
- evaluate estimation for bias
- examine authorization for unusual transactions
How should the communication work if fraud is found?
if misstatement is material - auditor informs those charged with governance whether senior management is/is not involved in the fraud
if misstatement is not material - auditor informs appropriate level of management (one level above where fraud occurred)
When does an auditor report fraud to an outside party?
- when subpoena has been issued
- when SEC (public) client is changing auditors
- as required by GAS - Government Auditing Standards
- when auditor has been authorized to communicate with preceding auditor
What are the EXTERNAL factors to gaining an understanding of entity and its environment?
- INDUSTRY factors (market, competition, demand, seasonal activity)
- REGULATORY factors (accounting practices, frameworks, taxation, governmental policies, environmental regulations)
- ECONOMIC CONDITIONS (interest rates, financing, inflation)
- TECHNOLOGY factors
What are the INTERNAL factors to gaining an understanding of entity and its environment?
- nature of operations
- ownership & governance structure
- type of investments entity is making
- how entity is structured & financed
- how entity selects accounting policies & if appropriate to its industry
- objectives & strategies & related business risks involved
- IT systems infrastructure (ERP, cloud computing setup, custom developed)
- any significant business procedures and/or data flows that directly impact FS
What is involved in obtaining an understanding of internal controls?
EVALUATING the DESIGN of the control and determining whether the control has been implemented
auditor performs WALK-THROUGHS of key controls to verify controls have been implemented
auditor should FOCUS on SUBSTANCE of procedures (are they working & effective?) INSTEAD of their FORM - management might have appropriate controls on paper, but might not be enforced
sometimes a FLOWCHART is created/documented to show auditors understanding of system
What happens if the auditor decides to rely on internal controls? If decides to not rely on internal controls?
to rely - assessing control risk below max:
reduces substantive procedures, auditor will perform tests of controls to make sure design effectiveness of controls is also working like they are supposed to (operating effectiveness)
not to rely - assessing control risk at max:
audit plan will be wholly substantive, which means auditor will test the account through substantive procedures and will not rely on internal controls
What are the 5 elements of Internal Control?
CRIME
- (E) - CONTROL ENVIRONMENT (policies & procedures to establish overall control of organization - tone at the top)
- (R) - RISK ASSESSMENT (policies to identify & analyze relevant risks to be managed)
- (C) - CONTROL ACTIVITIES (policies & procedures so that management’s objectives will be achieved, includes Segregation of duties, Authorization, and Physical controls - SAP)
- (I) - INFORMATION & COMMUNICATION systems (policies & procedures to identify/capture/exchange relevant info so that EEs can meet their responsibilities in timely manner)
- (M) - MONITORING (policies & procedures to measure effectiveness of internal controls and time goes on)
What are Risk Assessment Procedures?
what the auditor does to assess the risk of material misstatement
- inquires of management and others
- observation & inspection of documents
- analytical planning procedures
- review of information from prior periods
- audit team discussion about risks identified - discuss how risks affect specific areas of the audit
What is involved in performing a walkthrough?
standard procedure to make sure auditor understands flow of transactions and can document it (part of gaining an understanding, and is not a test of controls)
auditor selects few transactions and traces them through client’s accounting system
What are certain things that the audit team is required to document?
- audit team discussion about RMM (risk of material misstatement) & key elements about entity, its environment, etc.
- assessment of RMM at FS level & at relevant assertion level
- identified significant risks & related controls the auditor obtained an understanding of (walkthroughs)
With regards to Internal Controls, what is the auditor not required to do?
- perform test of controls (but can if necessary)
- search for significant deficiencies (but they may find them)
- determine whether controls are suitably designed to prevent or detect material misstatements (auditor does this, but not to all controls, just related to significant assertions/accounts)
The 3 main types of tasks that should be separated for segregation of duties include?
CAR or AAA
- Access (Custody) such as custody of the pre-numbered sales invoices or the goods being handled by the shipping department
- Authorization (execution) such as granting credit
- Accounting (Record keeping) such as entering customers order form & dealing with receivables & collections
What are physical controls and authorizations that should be applied?
PHYSICIAL CONTROLS:
- computer passwords & different account types within system with different levels of permissions
- custody of cash receipts/inventory should be handled by EEs without access to record keeping
AUTHORIZATIONS:
- transactions should be authorized
- AJEs should be reviewed & approved by management
What are reviews and information processing that should be applied?
REVIEW:
- monthly statements should be sent to customers
- related documents such as sales invoice, sales order form, and shipping documents should be compared
- cutoff should be verified to make sure transactions have been recorded in proper period
INFORMATION PROCESSING:
- focus on entity’s records regarding audit trail
- all key documents should be pre-numbered and sequence should be accounted for
- aged trial balance should be reconciled to GL periodically
What are internal control objectives for receipt of cash?
- when cash/checks received, posted to a remittance log (listing of all cash receipts)
- transaction is also posted in cash receipts journal and all cash receipts will be posted to that month’s receipts in the general ledger
- different EEs should open the mail, do accounting activities, prepare deposits of checks, and reconcile bank accounts
- each cash receipt should be listed immediately when mail is opened (best is to use bank lockbox system)
- ERs will bond EEs that handle cash receipts (insures company against loss from illegal acts by EEs)
- lapping = when cash received from customer is stolen and shortage is hidden by crediting first customers account with cash received from a second customer - prevented by 2 different people receiving cash & posting payments received to AR ledger
What are internal control procedures for expenses/disbursements?
- purchasing department makes purchases using pre-numbered purchase orders
- AR department takes possession of deliveries
- AP department handles accounting function & approves payments
- only designated EEs able to make purchases for company
- checks require dual signatures
- both receipts and disbursements bank reconciliations should be prepared on a timely basis
- all key documents pre-numbered and sequence should be accounted for
- supporting documents such as invoices cancelled as paid as soon as they are paid
What are internal control procedures for payroll?
- EE timecards/timesheets taken and prepared/recorded in payroll journal (supervisor approval)
- checks given to EEs & periods payroll is posted to GL
- HR keeps records containing pay rates/personnel files
- treasury issues checks, signs them & distributes them
- payroll department calculates payroll & does record-keeping each period
What are the 2 main categories of IT Controls?
- GENERAL controls (widespread/pervasive)
- APPLICATION controls (specific to)
What are the policies and procedures under the General Controls of IT Controls?
- controls over data & network operations
- software acquisition
- access security
- physical security of assets (access to records)
- authorization to computer programs/data
- file backup & disaster recovery plan
What are the policies and procedures under the Application Controls of IT Controls?
1) INPUT CONTROLS (meant to reduce mistakes when data is entered into system):
- BATCH TOTALS (totals that actually mean something - total of cash received that day)
- HASH TOTALS (totals with no dollar meaning, but can be used to check for mistakes - employee ID #s being added up)
- RECORD COUNT (keeps track of # of records processed to determine that right # of records have been accounted for)
2) LOGIC CHECKS:
- LIMIT TESTS (system would not accept 300 hours worked in one week)
- VALIDITY CHECKS (limit certain input to only valid responses - phone number field: letters, no letters)
- MISSING DATA CHECKS (input fields required & wont let user move on until required entered)
3) PROCESSING CHECKS:
- CHECKPOINTS (for long processes - if process crashes, entire process does not have to be re-executed)
- LIMIT ON PROCESSING TIME (if process takes longer than certain limit, process shuts down, assumes error occurred)
What are the types of audit software for evidence gathering?
- GENERALIZED software (out of the box - general functions)
- CUSTOMIZED software (program created to access/use - more expensive if developed for specific clients individually)
- DATA MINING software (commercial - provides features for doing substantive analytics)
- when client processes most of its data in electronic form, auditor considers using an ‘EMBEDDED AUDIT MODULE’ - computer program inserted into clients system which selects transactions for further review by auditor
What are Tests of Controls Procedures when IT Controls are Internal?
- TEST DATA (put dummy transactions through clients system that contain known errors to see if system catches errors)
- INTEGRATED TEST FACILITY (creating dummy division within clients system & running dummy data alongside clients real data)
- PARALLEL SIMULATION (processing clients data on auditors software to compare between outputs)
- TAGGING (tags a transaction in order to follow it through clients system)
