Assessing Risk & Developing Planned Response Flashcards
Developing overall engagement strategy - 4 things
1) determine characteristics that define scope (basis for reporting, industry-specific reporting requirements, entity’s locations)
2) determine reporting objectives of engagement to plan timing of audit, nature of communications requirements and key dates for expected communications
3) consider important factors that determine focus of audit team’s efforts (materiality levels, preliminary areas for potential misstatements, financial reporting developments)
4) determine nature/timing/extent of resources necessary to perform engagement
Process of developing audit strategy helps auditor - 3 things (resources)
1) determine type and amount of resources to assign to specific audit areas
2) plan timing of resources
3) manage/direct/supervise resources (when meetings are held, how reviews will take place)
5 considerations for planning initial (first) audits
1) arrangements with previous auditor
2) major issues with initial selection discussed with mgmt
3) obtain sufficient audit evidence regarding opening balances
4) personnel with appropriate capabilities and competence assigned
5) other personnel to assist with firm’s quality control function
developing detailed audit plan
1) reviewing correspondence, last year’s workpapers, perm files, FS, auditor reports
2) discussing matters that may affect audit with firm personnel responsible for nonaudit services to entity
3) inquiring about current business developments affecting entity
4) reading current year interim FS
5) discussing type/timing/scope of audit w/mgmt, BOD, AC
6) considering effects of applicable/new accounting pronouncements
7) coordinating assistance of entity personnel
8) determining extext of involvement of specialists, consultants
9) establishing timing of audit work
10) establishing and coordinating staffing requirements
audit plan MUST HAVE these 3 things:
1) description of nature/extent/timing of planned risk assessment procedures sufficient to assess risks of material misstatement
2) nature/extent/timing of planned further audit procedures for each material class of transactions/account balances/disclosure
3) other audit procedures to comply with GAAS
developing detailed plan for attest engagement
1) while detailed plan not required, accountant should prepare /retain sufficient documentation to allow engagement teams/partners to satisfy supervision/review/QC responsibilities
2) accountant should determine nature/extent/timing of planned procedures in order to achieve engagement objectives
understanding entity - external factors
1) industry (market, competition (demand/price/capacity), cyclical, product technology, supply)
2) regulatory (framework, accounting principles, legislation, taxation, gov policies, environmental)
3) nature of entity
4) entity’s objectives and strategies and related business risks that may result in material misstatement
5) measurement and review of entity’s financial performance
6) IC, including selection and application of accounting policies
7) other
a) general level of economic activity (recession, growth)
b) interest rates and availability of financing
c) inflation and currency revaluation
understanding entity - internal factors
a) business operations (related parties, nature of revenue sources, products/services//markets, suppliers/clients, R&D)
b) investments (M&A, disposals, investments in nonconsolidated entities)
c) financing (structure, with related parties, derivatives)
d) financial reporting (accounting principles, rev rec, FV, inventory, FS presentation and disclosures)
e) IT environment - software, devices, telecom, technology services (cloud), emerging technology (AI, crypto, blockchain)
f) objectives and strategies - industry developments, new products/services, expansion of business, regulatory requirements, new accounting requirements, use of IT, risk appetite of entity
g) financial performance (pressure to misstate, reliance on IT)
auditor should identify the relevant factors that define the nature of an entity, including the impact on the risk of material misstatement (e.g., its operations, ownership and governance structure, investment and financing plans, selection of accounting policies, and objectives and strategies), and document the procedures performed to obtain that understanding. In particular, that understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit.
this helps:
1) establish materiality and reevaluate that throughout the audit
2) consider appropriateness of chosen accounting policies and adequacy of disclosures
3) identify special areas of consideration might be necessary
4) develop expectations when performing analytical procedures
5) design and perform further audit procedures to reduce audit risk
6) evaluate sufficiency/appropriateness of audit evidence obtained
auditor should use professional judgment to determine the extent of the understanding required of the entity and its environment, including its internal control. The auditor’s primary consideration is….
whether the understanding that has been obtained is sufficient to assess risks of material misstatement of the financial statements
auditor should identify and document entity’s business processes, comprised of: (IT)
a) inputs
b) actors - either automated or actual person that carries out business process
c) actual activity or process that transforms the input
d) outputs - generation of entity’s FS or mgmt reports
auditor should obtain understanding of entity’s IT systems infrastructure and document procedures to obtain understanding of…
a) description of functions of system
b) change control process
c) security evaluation
d) system documentation should be reviewed for completeness, accuracy, timeliness
how to update understanding of entity’s business and ICs:
1) reading documentation for prior year’s audit and review of interim
2) reading most recent annual and prior interim financial information
3) consider results of audit procedures performed
4) inquire mgmt of changes in business activities
5) inquire mgmt about significant changes in ICs related to preparation of interim financial information
attestation engagements: what is attestation risk?
the risk that the accountant expresses an inappropriate opinion or conclusion, as applicable, when the underlying subject matter or subject matter information (or assertion) is materially misstated.
Attestation risk is not applicable to an agreed‐upon procedures engagement, as the design .of procedures in that type of engagement is the responsibility of the specified party(ies).
3 objectives of audit engagement ORC
Operations
Reporting
Compliance
CRIME
Control environment EBOCA
Risk assessment SAFR
Information and communication systems OIE
Monitoring SOD
Existing control activities CATP
C - control environment EBOCA
Ethics
Board Independence & Oversight
Organizational Structure
Competence
Accountability
- sets tone of org, influencing control consciousness of employees
1) assignment of authority and responsibility - important in an IT environment due to the potential access to data by multiple users. When multiple users have access to a particular database, the potential for manipulation increases
2) human resource policies and practices - in a computerized environment, the need for skilled employees operating with a high degree of integrity is of great importance.
3) management’s philosophy and operating style - management’s failure to commit sufficient resources to address security risks presented by IT may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or by allowing unauthorized transactions to be processed.
R - risk assessment SAFR
Specify Objectives
Assess Changes (in environment)
Fraud
Risk Analysis
- identification, analysis and management of risks relevant to the prep of FS that are fairly presented in conformity with applicable reporting framework
1) requires the inclusion of a strict policy of control over changes in programs and inappropriate access to data to prevent data alteration or manipulation
I - information and communication OIE
Obtain Information
Internally Communicate
Externally Communicate
- procedures and records relevant to financial reporting and communication to individuals of their roles and responsibilities pertaining to IC over financial reporting as well as to those charged with governance and regulatory authorities
1) quality of the information has a direct relationship to the relevance and appropriateness of the decision‐making process. For instance, continuous control modules (CCM) embedded within the software system enable management to monitor transaction processing of all data. Physical controls over hardware ensure actions that could affect data integrity are only carried out by responsible personnel.
M - monitoring SOD
Separate and Ongoing Evaluations
Deficiency Communication
- assessing IC performance over time to ensure that controls continue to operate effectively
1) Management is responsible for establishing and maintaining proper internal controls. Management must monitor controls to consider whether they are operating as intended and that they are modified as appropriate for changes in conditions.
E - existing control activities and control environment CATP
Control Activities
Technology
Policies and Procedures
- policies and procedures that ensure mgmt directives are carried out and necessary actions are taken to address risks that threaten achievement of entity objectives (authorization, seg of duties, safeguarding, asset accountability, performance reviews)
1) information processing - authorization of transactions and the maintenance of adequate documents and records (audit trail)
2) segregation of duties - adequate controls must be established within the IT department to compensate for the lack of segregation of duties that would normally be available in a manual system.
3) physical controls - access to assets is often possible through the computer system. As such, the need for enhanced physical controls is of great importance in an IT environment. It is also important to have adequate backup for computer files, as their destruction or damage could result in significant problems for a business entity.
identifying controls relevant to financial reporting
controls over FS that present according to GAAP and manage risk of material misstatement
whether and how a control prevents, detects, corrects material misstatement in either classes of transactions, account balances, or disclosures
identifying controls relevant to financial reporting - factors to consider
1) materiality
2) size of entity
3) nature of entity’s business
4) diversity and complexity of entity’s operations
5) applicable legal and regulatory requirements
6) nature and complexity of systems that are part of entity’s ICs
identifying controls relevant to financial reporting - accounting review and engagements (preparation, compilation, review)
engagement to prepare financial statements is a nonattest engagement and does not require the accountant to be independent. The accountant is not required to verify the accuracy or completeness of the information provided by management or otherwise gather evidence to express an opinion or conclusion on the financial statements.
compilation engagement is a no‐assurance engagement. There is no expectation that the accountant would obtain an understanding of internal control in this type of engagement. The accountant only needs to be able to have competence and capabilities to read the financial statements for obvious departures from the applicable financial reporting framework.
review engagement provides limited assurance. There is no requirement in a review to obtain a specific understanding of the design of internal controls;