Assessing Risk & Developing Planned Response (25-35%) Flashcards
What should the auditor do when developing an overall audit strategy?
- identify characteristics of audit that define its scope
- assess reporting objectives in order to plan timing of audit and nature of communications required
- decide what factors are significant in directing audit team
- analyze results of preliminary procedures
- assess nature, timing, and extent of resources necessary to perform engagement
What does developing a detailed engagement plan involve?
- obtaining understanding of entity & its environment
- doing a risk assessment
- if applicable, done while comparing & contrasting to PY’s engagement
point of audit planning is to plan the audit so that it will be performed effectively
engagement partner and other key members of audit team should be the ones involved in planning
What are the preliminary engagement activities?
- evaluate any QC (quality control) issues that could affect client acceptance
- evaluate any potential independence issues
- determine if audit will require work of a specialist
- audit documentation, including:
- overall audit strategy
- audit programs
- any major changes made to overall strategy/audit programs during audit, and reasons for such changes
What is materiality?
an amount that if missing or misstated on the FS, would likely lead to a reasonable person to be influenced to make a different decision than if the amount had been corrected
big enough to matter
- should be documented at FS level
- should document any revisions during audit
- for specific transactions or for account balances
What is audit risk?
risk or probability that auditor expresses clean opinion when there is actually a material misstatement in FS
reasonable assurance is a high level of assurance, which in turn provides a low level of audit risk
What are the 3 elements of the Audit Risk Model?
- IR (inherent risk)
- CR (control risk)
- DR (detection risk)
Audit Risk = IR x CR x DR
auditor assess inherent risk and control risk because it affects the level of detection risk that auditor can accept
*IR x CR = RMM (risk of material misstatement) - assessed by auditor
What are Analytical Procedures and what are 3 ways they are used?
evaluations of financial information based on relationships among both financial data and non-financial data
can involve trends, comparing CY to PY, ratios, etc.
analytics used in 3 ways:
- in planning stage for risk assessment (required)
- as substantive procedure (not required)
- as a final review (required)
How does fraud play a role in auditing?
an audit provides reasonable assurance that fraud will be detected - may not be able to detect
professional skepticism - have a questioning mind and a critical assessment of audit evidence - do not assume fraud is happening, but question assertions made by management
What are the types of fraud?
- fraudulent reporting
- pressure to meet expectations or requirements (earnings projections, debt covenants, financing agreements)
- misappropriation of assets
- pressure on EEs such as personal financial problems
- low EE morale or attitude of the company owes me or I am underpaid
- if assets are easy to access, such as EEs that have access to cash
What is involved in Management Override of Internal Controls?
is one of the biggest risk factors for fraud
examples:
- pushing through a transaction that does not have a real business purpose
- unauthorized journal entry
- putting pressure on an EE to make JE they would not normally make
procedures would include:
- examining AJEs
- especially JEs close to beg & end of reporting periods
- evaluate estimation for bias
- examine authorization for unusual transactions
How should the communication work if fraud is found?
if misstatement is material - auditor informs those charged with governance whether senior management is/is not involved in the fraud
if misstatement is not material - auditor informs appropriate level of management (one level above where fraud occurred)
When does an auditor report fraud to an outside party?
- when subpoena has been issued
- when SEC (public) client is changing auditors
- as required by GAS - Government Auditing Standards
- when auditor has been authorized to communicate with preceding auditor
What are the EXTERNAL factors to gaining an understanding of entity and its environment?
- INDUSTRY factors (market, competition, demand, seasonal activity)
- REGULATORY factors (accounting practices, frameworks, taxation, governmental policies, environmental regulations)
- ECONOMIC CONDITIONS (interest rates, financing, inflation)
- TECHNOLOGY factors
What are the INTERNAL factors to gaining an understanding of entity and its environment?
- nature of operations
- ownership & governance structure
- type of investments entity is making
- how entity is structured & financed
- how entity selects accounting policies & if appropriate to its industry
- objectives & strategies & related business risks involved
- IT systems infrastructure (ERP, cloud computing setup, custom developed)
- any significant business procedures and/or data flows that directly impact FS
What is involved in obtaining an understanding of internal controls?
EVALUATING the DESIGN of the control and determining whether the control has been implemented
auditor performs WALK-THROUGHS of key controls to verify controls have been implemented
auditor should FOCUS on SUBSTANCE of procedures (are they working & effective?) INSTEAD of their FORM - management might have appropriate controls on paper, but might not be enforced
sometimes a FLOWCHART is created/documented to show auditors understanding of system
What happens if the auditor decides to rely on internal controls? If decides to not rely on internal controls?
to rely - assessing control risk below max:
reduces substantive procedures, auditor will perform tests of controls to make sure design effectiveness of controls is also working like they are supposed to (operating effectiveness)
not to rely - assessing control risk at max:
audit plan will be wholly substantive, which means auditor will test the account through substantive procedures and will not rely on internal controls
What are the 5 elements of Internal Control?
CRIME
- (E) - CONTROL ENVIRONMENT (policies & procedures to establish overall control of organization - tone at the top)
- (R) - RISK ASSESSMENT (policies to identify & analyze relevant risks to be managed)
- (C) - CONTROL ACTIVITIES (policies & procedures so that management’s objectives will be achieved, includes Segregation of duties, Authorization, and Physical controls - SAP)
- (I) - INFORMATION & COMMUNICATION systems (policies & procedures to identify/capture/exchange relevant info so that EEs can meet their responsibilities in timely manner)
- (M) - MONITORING (policies & procedures to measure effectiveness of internal controls and time goes on)
What are Risk Assessment Procedures?
what the auditor does to assess the risk of material misstatement
- inquires of management and others
- observation & inspection of documents
- analytical planning procedures
- review of information from prior periods
- audit team discussion about risks identified - discuss how risks affect specific areas of the audit
What is involved in performing a walkthrough?
standard procedure to make sure auditor understands flow of transactions and can document it (part of gaining an understanding, and is not a test of controls)
auditor selects few transactions and traces them through client’s accounting system
What are certain things that the audit team is required to document?
- audit team discussion about RMM (risk of material misstatement) & key elements about entity, its environment, etc.
- assessment of RMM at FS level & at relevant assertion level
- identified significant risks & related controls the auditor obtained an understanding of (walkthroughs)
With regards to Internal Controls, what is the auditor not required to do?
- perform test of controls (but can if necessary)
- search for significant deficiencies (but they may find them)
- determine whether controls are suitably designed to prevent or detect material misstatements (auditor does this, but not to all controls, just related to significant assertions/accounts)
The 3 main types of tasks that should be separated for segregation of duties include?
CAR or AAA
- Access (Custody) such as custody of the pre-numbered sales invoices or the goods being handled by the shipping department
- Authorization (execution) such as granting credit
- Accounting (Record keeping) such as entering customers order form & dealing with receivables & collections
What are physical controls and authorizations that should be applied?
PHYSICIAL CONTROLS:
- computer passwords & different account types within system with different levels of permissions
- custody of cash receipts/inventory should be handled by EEs without access to record keeping
AUTHORIZATIONS:
- transactions should be authorized
- AJEs should be reviewed & approved by management
What are reviews and information processing that should be applied?
REVIEW:
- monthly statements should be sent to customers
- related documents such as sales invoice, sales order form, and shipping documents should be compared
- cutoff should be verified to make sure transactions have been recorded in proper period
INFORMATION PROCESSING:
- focus on entity’s records regarding audit trail
- all key documents should be pre-numbered and sequence should be accounted for
- aged trial balance should be reconciled to GL periodically