Assessing Risk & Developing Planned Response Flashcards

Question 1

Q

Developing overall engagement strategy - 4 things

Answer

A

1) determine characteristics that define scope (basis for reporting, industry-specific reporting requirements, entity’s locations)
2) determine reporting objectives of engagement to plan timing of audit, nature of communications requirements and key dates for expected communications
3) consider important factors that determine focus of audit team’s efforts (materiality levels, preliminary areas for potential misstatements, financial reporting developments)
4) determine nature/timing/extent of resources necessary to perform engagement

Question 2

Q

Process of developing audit strategy helps auditor - 3 things (resources)

Answer

A

1) determine type and amount of resources to assign to specific audit areas
2) plan timing of resources
3) manage/direct/supervise resources (when meetings are held, how reviews will take place)

Question 3

Q

5 considerations for planning initial (first) audits

Answer

A

1) arrangements with previous auditor
2) major issues with initial selection discussed with mgmt
3) obtain sufficient audit evidence regarding opening balances
4) personnel with appropriate capabilities and competence assigned
5) other personnel to assist with firm’s quality control function

Question 4

Q

developing detailed audit plan

Answer

A

1) reviewing correspondence, last year’s workpapers, perm files, FS, auditor reports
2) discussing matters that may affect audit with firm personnel responsible for nonaudit services to entity
3) inquiring about current business developments affecting entity
4) reading current year interim FS
5) discussing type/timing/scope of audit w/mgmt, BOD, AC
6) considering effects of applicable/new accounting pronouncements
7) coordinating assistance of entity personnel
8) determining extext of involvement of specialists, consultants
9) establishing timing of audit work
10) establishing and coordinating staffing requirements

Question 5

Q

audit plan MUST HAVE these 3 things:

Answer

A

1) description of nature/extent/timing of planned risk assessment procedures sufficient to assess risks of material misstatement
2) nature/extent/timing of planned further audit procedures for each material class of transactions/account balances/disclosure
3) other audit procedures to comply with GAAS

Question 6

Q

developing detailed plan for attest engagement

Answer

A

1) while detailed plan not required, accountant should prepare /retain sufficient documentation to allow engagement teams/partners to satisfy supervision/review/QC responsibilities
2) accountant should determine nature/extent/timing of planned procedures in order to achieve engagement objectives

Question 7

Q

understanding entity - external factors

Answer

A

1) industry (market, competition (demand/price/capacity), cyclical, product technology, supply)
2) regulatory (framework, accounting principles, legislation, taxation, gov policies, environmental)
3) nature of entity
4) entity’s objectives and strategies and related business risks that may result in material misstatement
5) measurement and review of entity’s financial performance
6) IC, including selection and application of accounting policies
7) other
a) general level of economic activity (recession, growth)
b) interest rates and availability of financing
c) inflation and currency revaluation

Question 8

Q

understanding entity - internal factors

Answer

A

a) business operations (related parties, nature of revenue sources, products/services//markets, suppliers/clients, R&D)
b) investments (M&A, disposals, investments in nonconsolidated entities)
c) financing (structure, with related parties, derivatives)
d) financial reporting (accounting principles, rev rec, FV, inventory, FS presentation and disclosures)
e) IT environment - software, devices, telecom, technology services (cloud), emerging technology (AI, crypto, blockchain)
f) objectives and strategies - industry developments, new products/services, expansion of business, regulatory requirements, new accounting requirements, use of IT, risk appetite of entity
g) financial performance (pressure to misstate, reliance on IT)

Question 9

Q

auditor should identify the relevant factors that define the nature of an entity, including the impact on the risk of material misstatement (e.g., its operations, ownership and governance structure, investment and financing plans, selection of accounting policies, and objectives and strategies), and document the procedures performed to obtain that understanding. In particular, that understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit.
this helps:

Answer

A

1) establish materiality and reevaluate that throughout the audit
2) consider appropriateness of chosen accounting policies and adequacy of disclosures
3) identify special areas of consideration might be necessary
4) develop expectations when performing analytical procedures
5) design and perform further audit procedures to reduce audit risk
6) evaluate sufficiency/appropriateness of audit evidence obtained

Question 10

Q

auditor should use professional judgment to determine the extent of the understanding required of the entity and its environment, including its internal control. The auditor’s primary consideration is….

Answer

A

whether the understanding that has been obtained is sufficient to assess risks of material misstatement of the financial statements

Question 11

Q

auditor should identify and document entity’s business processes, comprised of: (IT)

Answer

A

a) inputs
b) actors - either automated or actual person that carries out business process
c) actual activity or process that transforms the input
d) outputs - generation of entity’s FS or mgmt reports

Question 12

Q

auditor should obtain understanding of entity’s IT systems infrastructure and document procedures to obtain understanding of…

Answer

A

a) description of functions of system
b) change control process
c) security evaluation
d) system documentation should be reviewed for completeness, accuracy, timeliness

Question 13

Q

how to update understanding of entity’s business and ICs:

Answer

A

1) reading documentation for prior year’s audit and review of interim
2) reading most recent annual and prior interim financial information
3) consider results of audit procedures performed
4) inquire mgmt of changes in business activities
5) inquire mgmt about significant changes in ICs related to preparation of interim financial information

Question 14

Q

attestation engagements: what is attestation risk?

Answer

A

the risk that the accountant expresses an inappropriate opinion or conclusion, as applicable, when the underlying subject matter or subject matter information (or assertion) is materially misstated.

Attestation risk is not applicable to an agreed‐upon procedures engagement, as the design .of procedures in that type of engagement is the responsibility of the specified party(ies).

Question 15

Q

3 objectives of audit engagement ORC

Answer

A

Operations
Reporting
Compliance

Question 16

Q

CRIME

Answer

A

Control environment EBOCA
Risk assessment SAFR
Information and communication systems OIE
Monitoring SOD
Existing control activities CATP

Question 17

Q

C - control environment EBOCA

Answer

A

Ethics
Board Independence & Oversight
Organizational Structure
Competence
Accountability

sets tone of org, influencing control consciousness of employees
1) assignment of authority and responsibility - important in an IT environment due to the potential access to data by multiple users. When multiple users have access to a particular database, the potential for manipulation increases
2) human resource policies and practices - in a computerized environment, the need for skilled employees operating with a high degree of integrity is of great importance.
3) management’s philosophy and operating style - management’s failure to commit sufficient resources to address security risks presented by IT may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or by allowing unauthorized transactions to be processed.

Question 18

Q

R - risk assessment SAFR

Answer

A

Specify Objectives
Assess Changes (in environment)
Fraud
Risk Analysis

identification, analysis and management of risks relevant to the prep of FS that are fairly presented in conformity with applicable reporting framework
1) requires the inclusion of a strict policy of control over changes in programs and inappropriate access to data to prevent data alteration or manipulation

Question 19

Q

I - information and communication OIE

Answer

A

Obtain Information
Internally Communicate
Externally Communicate

procedures and records relevant to financial reporting and communication to individuals of their roles and responsibilities pertaining to IC over financial reporting as well as to those charged with governance and regulatory authorities
1) quality of the information has a direct relationship to the relevance and appropriateness of the decision‐making process. For instance, continuous control modules (CCM) embedded within the software system enable management to monitor transaction processing of all data. Physical controls over hardware ensure actions that could affect data integrity are only carried out by responsible personnel.

Question 20

Q

M - monitoring SOD

Answer

A

Separate and Ongoing Evaluations
Deficiency Communication

assessing IC performance over time to ensure that controls continue to operate effectively
1) Management is responsible for establishing and maintaining proper internal controls. Management must monitor controls to consider whether they are operating as intended and that they are modified as appropriate for changes in conditions.

Question 21

Q

E - existing control activities and control environment CATP

Answer

A

Control Activities
Technology
Policies and Procedures

policies and procedures that ensure mgmt directives are carried out and necessary actions are taken to address risks that threaten achievement of entity objectives (authorization, seg of duties, safeguarding, asset accountability, performance reviews)
1) information processing - authorization of transactions and the maintenance of adequate documents and records (audit trail)
2) segregation of duties - adequate controls must be established within the IT department to compensate for the lack of segregation of duties that would normally be available in a manual system.
3) physical controls - access to assets is often possible through the computer system. As such, the need for enhanced physical controls is of great importance in an IT environment. It is also important to have adequate backup for computer files, as their destruction or damage could result in significant problems for a business entity.

Question 22

Q

identifying controls relevant to financial reporting

Answer

A

controls over FS that present according to GAAP and manage risk of material misstatement

whether and how a control prevents, detects, corrects material misstatement in either classes of transactions, account balances, or disclosures

Question 23

Q

identifying controls relevant to financial reporting - factors to consider

Answer

A

1) materiality
2) size of entity
3) nature of entity’s business
4) diversity and complexity of entity’s operations
5) applicable legal and regulatory requirements
6) nature and complexity of systems that are part of entity’s ICs

Question 24

Q

identifying controls relevant to financial reporting - accounting review and engagements (preparation, compilation, review)

Answer

A

engagement to prepare financial statements is a nonattest engagement and does not require the accountant to be independent. The accountant is not required to verify the accuracy or completeness of the information provided by management or otherwise gather evidence to express an opinion or conclusion on the financial statements.
compilation engagement is a no‐assurance engagement. There is no expectation that the accountant would obtain an understanding of internal control in this type of engagement. The accountant only needs to be able to have competence and capabilities to read the financial statements for obvious departures from the applicable financial reporting framework.
review engagement provides limited assurance. There is no requirement in a review to obtain a specific understanding of the design of internal controls;

Question 25

Q

identifying controls relevant to financial reporting - attestation engagements (control risk and attestation risk)

Answer

A

Control risk is the risk that a material misstatement could occur in the subject matter and not be prevented, or detected and corrected, on a timely basis by internal control

Attestation risk is the risk that the accountant expresses an inappropriate opinion or conclusion, as applicable, when the underlying subject matter or subject matter information (or assertion) reported on is materially misstated.

Attestation risk is not applicable to an agreed‐upon procedures engagement, as the design of procedures in that type of engagement is the responsibility of the specified party(ies).

Question 26

Q

IT general controls apply when?

Answer

A

apply to all aspects of IT function BEFORE TRANSACTIONS ARE PROCESSED (vs. application controls that operate at the process level and apply to processing transactions)

outside controls that provide protection for applications and mitigate:
risk of system crash
risk of unauthorized processing
risk of unauthorized master file updating
risk of unauthorized change to application software

Question 27

Q

IT general controls - 6 types

Answer

A

1) admin of IT function (tone at the top, control environment)
2) segregation of duties
3) system development (segregation of roles)
4) physical and online security
5) backup and contingency planning
6) hardware controls (to detect system failure)

Question 28

Q

IT general controls - admin of IT function

Answer

A

1) admin of IT function (tone at the top, control environment)
attitude of sr mgmt and BOD
resource allocation to IT function
involvement of IT in decision making, signal to IT importance
IT steering committee
smaller org = CIO relied upon by BOD
if assigned to lower level employees who don’t have any authority or outsourced, may signal less importance

Question 29

Q

IT general controls segregation of duties ARC

Answer

A

ARC “Protect you from a flood of problems”

Authority

Record keeping

Custody of related assets

Question 30

Q

IT general controls - system development

Answer

A

BOD
CIO or IT Mgr
Security Admin (physical assets and online security)
System development (purchase and/or develop/test software) (“authorization”)
system analysts - architect designs system
programmers - create/write the program, document it (cannot be user of system - violation of segregation of duties)
Operations (“recording/record keeping”)
Librarian - program moves from programmer to librarian , who controls the use of the program and does not release it back to the programmers when they need to make changes
network administrator - maintains network, supports all users using network
computer operators - import data into the computer system
Data control (“custody”)
database admin - “hold keys”, super user logins and all data for company (cannot have access to operations or system development - violation of segregation of duties)
data input/data output

Question 31

Q

IT general controls - physical and online security

Answer

A

Security admin

Question 32

Q

IT general controls - backup and contingency planning

Answer

A

power failure, fire, excessive heat/humidity, water damage, sabotage, terrorism
battery backups, generators
disaster recovery plan
offsite storage
outsource to firms that specialize in secure data storage
hot site - secondary site to continue to conduct business
cold site - secondary site that would need a bit of time to get going, but less expensive

Question 33

Q

IT general controls - hardware controls

Answer

A

6) hardware controls
built into computer equipment to detect and report equipment failure

Question 34

Q

IT application controls (what are they and what do the controls surround?)

Answer

A

IT application controls - designed to achieve specific control objectives related to specific accounting tasks. They pertain to the processing of individual applications. The auditor is responsible for identifying and documenting an entity’s relevant IT application controls within the flow of an entity’s transactions for a significant business process and must consider the effect of these controls on the completeness, accuracy, and reliability of an entity’s data.
Application controls - **controls that surround the applications themselves **
designed for each software specifically
manual or automated controls - input, processing, and output controls

Question 35

Q

IT application controls - INPUT CONTROL

Answer

A

1) input control - info entered is authorized, accurate and complete (garbage in, garbage out)
-management authorization
-adequate prep of input source documents
-competent personnel
-adequately designed input screens with preformatted prompts for transaction information
-online based input controls for ecommerce applications where external parties perform the initial art of the transaction inputting
-check digit - purpose of a check digit is to verify that the information on the barcode has been entered correctly
-validity check - computer-performed validation test of input accuracy such as validation of customer number against customer master file
-edit check - auto controls programmed into application to help prevent invalid data being entered
-limit test - user has to enter SSN before any other input; check over $$$ threshold is void
-pull-down menu
-immediate error correction procedures to provide for early detection and correction of input errors
-accumulation of errors in an error file for subsequent follow up by data input personnel

Question 36

Q

IT application controls - INPUT CONTROL (record count vs hash total, vs financial total)

Answer

A

record count hash total financial total
count account# $ owed
1 1256 200
2 3645 300
3 2542 500
4 2569 650
5 5987 100
6 4386 350
7 6598 200
8 3749 125
9 5823 275
45 36555 2700

Question 37

Q

IT application controls - PROCESSING CONTROL

Answer

A

2) processing control - prevent and detect errors while transaction data are processed
this is where the general controls during the development stage provide essential control for minimizing processing errors
specific processing controls are often programmed into the software to prevent, detect, and correct processing errors
-validation test - ensures particular type of transaction is appropriate for processing (does tran code = predetermined code?)
-sequence test - determines that data submitted for processing are in the correct order (payroll transactions in dept order before processing?)
-arithmetic accuracy test - checks accuracy of processed data (does sum of net pay + withholdings = gross pay?)
-data reasonableness test - determines whether data exceed prespecified amounts (does gross pay > 60 hours for week?)
-completeness test - determines that every field in a record has been completed ( are emp #, name, etc. included for every employee?)

Question 38

Q

IT application controls - OUTPUT CONTROLS

Answer

A

3) output controls - detects errors after processing
-review data for reasonableness by knowledgeable employees
-reconcile (compare sample of transactions, reconcile to manual control totals, compare number of units processed to number submitted)

Question 39

Q

Preventative controls

Answer

A

qualified personnel, adequate training
segregating duties to prevent fraud
controlling physical access and system access (key cards, passwords, biometrics)

Question 40

Q

Detective controls

Answer

A

QC
reconcilement

Question 41

Q

Corrective controls

Answer

A

backup copies
procedures to correct errors
DR plan
computer emergency response team (CERT) to react to security breaches and take corrective action timely
-determine problem exists
-contain the problem quickly to minimize damage
-identify why problem occurred
-repair damage and correct problem (retore backup, reinstall corrupted program)
-determine prevention in future
-determine whether to prosecute perpetrator

Question 42

Q

understanding business processes - walkthrough and document

Answer

A

1) classes of transactions that are significant to financial reporting
2) procedures (auto and manual) to initiate/authorize/record/process/report transactions in FS
3) related (electronic or manual) accounting records and supporting information that are significant to FS
4) how info systems capture events and conditions other than transactions that are significant to FS
5) financial reporting process used to prep FS, including significant estimates and disclosures
6) controls around JEs, especially those recording nonrecurring, unusual transactions or adjusting transactions

Question 43

Q

understanding relevant controls - identify and document; consider effect on completeness, accuracy, reliability of data

Answer

A

1) identifies and records all valid transactions
2) describes transactions in sufficient detail to permit proper classification for financial reporting
3) measures value of transactions that permit proper value in FS
4) determines correct time period to record
5) presents transactions (and disclosures) in FS

Question 44

Q

auditor should obtain an understanding of IT systems that are:

Answer

A

auditor should obtain an understanding of IT systems that are, directly or indirectly, the source of financial transactions or the data used to record financial transactions and document the procedures performed to obtain that understanding.

Question 45

Q

understanding risk - perform risk assessment to:

Answer

A

auditor should perform risk assessment to determine whether relevant internal controls are effectively designed and operating and use to:
1) identify types of potential misstatements
2) consider factors that affect the risks of misstatements
3) design tests of controls and substantive procedures

Question 46

Q

evaluating design of control involves:

Answer

A

Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing or detecting and correcting material misstatements

Question 47

Q

Implementation of a control means:

Answer

A

Implementation of a control means that the control exists and that the entity is using it

Question 48

Q

Procedures to obtain audit evidence about the design and implementation of relevant controls may include:

Answer

A

1) inquiry of personnel (NOT SUFFICIENT BY ITSELF)
2) observation of application of specific controls
3) inspection of documents and reports
4) tracing transactions through systems relevant to financial reporting

Question 49

Q

Benefits of IT systems

Answer

A

consistently apply predefined business rules and perform complex calculations in processing large voumes of transactions or data
enhance timliness, availability and accuracy of information
facilitate additional analysis of information
enhance ability to monitor performance, policies and procedures
reduce risk of control circumvention
enhance ability to achieve segregation of duties via security controls in applications, databases, operating systems
use of barcode technology to eliminate human data entry and improve perpetual inventory recordkeeping speed and accuracy

Question 50

Q

Risks of IT systems

Answer

A

reliance on systems or programs that could be processing data inaccurately or processing inaccurate data
unauthorized access to data resulting in destruction or change in data
unauthorized change to data in master files
unauthorized change to systems or programs
failure to make necessary changes to systems or programs
inappropriate manual intervention
potential loss of data or inability to access data
possibility of IT personnel gaining access beyond necessary, breaking down segregation of duties

Question 51

Q

SOC 1 vs SOC 2 reports (implications of using a 3rd party service provider)

Answer

A

SOC® 1 report addresses internal controls over financial reporting, the SOC® 2 report focuses on operational and compliance controls

SOC® 1 reports are for management of the service organization, user entities, and user auditors (design of controls over financial reporting)

SOC® 2 reports are restricted and are only for parties that are knowledgeable about the nature of the service provided by the service organization (design and operating effectiveness of operational and compliance controls)

Question 52

Q

limitations of controls

Answer

A

human judgment, human failures

lack of understanding of purpose of control

collusion

mgmt override- mgmt is in a unique position to perpetrate fraud because of its ability to manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise appear to be operating effectively
**mitigation/detection: examine JEs and other adjusting entries for evidence of possible misstatement due to fraud; review accounting estimates for biases that could result in misstatement due to fraud; evaluate business rationale for significant unusual transactions

segregation of duties not possible due to small number of employees

Question 53

Q

identification of a risk of material misstatement due to fraud involves the application of professional judgment and includes the consideration of the attributes of the risk, including:

Answer

A

1) type of risk, ie fraudulent financial reporting, misappropriation of assets
2) significance of risk - magnitude could result in possible material misstatement
3) likelihood of risk - will it result in material misstatement
4) pervasiveness of risk - whether potential risk is pervasive to FS as a whole or specifically to a particular assertion/account/class of transactions

Question 54

Q

conditions that may indicate increased risk of fraud

Answer

A

a. discrepancies on accounting records
1) transaction not recorded in a complete or timely manner
2) unsupported or unauthroized balanes or transactions
3) last minute adjustments
4) evidence of unauthorized access
5) tips to auditors about alleged fraud
6) overly complex transactions
b. conflicting or missing evidence
1) missing documents
2) documents appearing to be altered
3) unavailability of original documents
4) significant unexplained items on recons
5) inconsistent/vague explanations from mgmt or employees
6) unusual discrepancies between entity’s records and confirmations
7) missing inventory or physical assets
8) unavailable electronic evidence inconsistent with retention policies
9) inability to produce evidence of key ssytem development and program change testing and implementation
c. problematic or unusual relationships between auditor and mgmt
1) denial of access to records/employees
2) undue time pressures imposed by mgmt
3) complaints by mgmt about conduct of audit, intimidation
4) unusual delays by entity in providing information
5) unwillingness to facilitate auditor access to key electronic files
6) denial of access to key IT operations staff
7) unwillingness to add/improve disclosures to make them more complete or clear
8) unwillingness to address identified deficiencies in IC timely

net income doesn’t tie well to cash flows
changes in inventory/AP/sales is inconsistent with prior period
profitability or bad debt write offs aren’t comparable to industry trends or data
sales volumes don’t compare well to production statistics

Question 55

Q

fraud triangle

Answer

A

opportunity
pressure (earnings)
rationalization

Question 56

Q

Identifying fraud

Answer

A

error = unintentional; fraud = intentional
primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management.

Misstatement #1 - misstatement arising from fraudulent financial reporting; committed by mgmt to deceive FS users
manipulation, falsification, alteration of accounting records; misrepresentation or omission of events, transactions; intentional misapplication of accounting principles

Misstatement #2 - misappropriation of assets; committed against entity most often by employees
embezzling, theft, or causing entity to pay for goods not received
risk factors to consider: pressure/incentive to commit?; perceived opportunity?; able to rationalize?

Question 57

Q

Ways to identify fraud (and help the team identify fraud)

Answer

A

-discussions with audit team regarding fraud - brainstorming helps newer auditors learn, allows consideration of known external and internal factors, professional skepticism, should continue throughout the audit, document discussions
-inquiries of mgmt regarding fraud - knowledge of, aware of allegations of, mgmt’s communication of process to identify, mgmt’s communication of views on business practices and ethical behavior, any significant transactions entered into?
-auditor should address the risk of management override of controls apart from any conclusions regarding the existence of more specifically identifiable risks by designing and performing audit procedures to:
1) test appropriateness of JEs
2) review accounting estimates for bias
3) evaluate whether any transactions suggest they may have been entered into to engage in fraudulent activity or misappropriate assets

Question 58

Q

ways to respond to risk of material misstatement due to fraud

Answer

A

1) response that has an overall effect on how the audit is conducted, including (1) assignment of personnel and supervision, (2) management’s selection of accounting principles, and (3) using audit procedures that include an element of unpredictability.
2) response to identified risks involving the nature, extent, and timing of the auditing procedures to be performed. The auditor should consider changing the nature, extent, and timing of audit procedures to address specifically identified risks.
3) response involving the performance of certain (innovative, inventive) procedures to further address the risk of material misstatement due to fraud involving management override of controls.
a) performing procedures on a surprise or unannounced basis
b) ask that inventories be counted at period end or close to period end to minimize risk of balance manipulation
c) making oral inquiries of major customers
d) performing substantive analytical procedures
e) interviewing personnel

Question 59

Q

assessing fraud on other types of engagements (compilation, review)

Answer

A

Compilation engagements provide no assurance. There is no responsibility on the part of the practitioner to perform any procedures to identify or respond to fraud risk.

Review engagements provide limited assurance. Inquiry, analytics, and other procedures are designed and performed to provide limited assurance, which is substantially less than the reasonable assurance expressed in an audit.
Discuss with appropriate parties; ask they bring in legal or regulatory, obtain legal advice, communicate with regulator
In a review, if the accountant becomes aware of any actual, suspected, or alleged fraud or noncompliance with laws or regulations affecting the subject matter, the accountant should communicate (either written or oral) the matter as soon as practicable to the appropriate level of management

Question 60

Q

assessing fraud on other types of engagements (attestation)

Answer

A

attestation engagement - Examination engagements require an assessment of attestation risk, similar to financial statement audits, to provide reasonable assurance whether any material modifications should be made to the underlying subject matter in order for it to be in conformity with stated criteria.

In both examination and review engagements, the accountant should make inquiries of appropriate parties to determine whether they have knowledge of any actual, suspected, or alleged fraud

In an agreed‐upon procedures engagement, the design of procedures is the responsibility of the specified party(ies). Those procedures may or may not include fraud‐related procedures.

Question 61

Q

assessing risk of material misstatement - risk assessment procedures

Answer

A

auditor should identify risks of material misstatement by obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the particular classes of transactions, account balances, and disclosures in the financial statements.

Risk assessment procedures:
1) inquiries of mgmt
2) analytical procedures
3) observation and inspection

Question 62

Q

assessing risk of material misstatement - risk assessment procedures - analytical procedures

Answer

A

analytical procedures applied at two phases of all audits:
1) initial planning stages to help plan nature.timing.extent
2) overall review of financial information I the final review stage of audit

analytical procedures should focus on:
1) enhancing auditor’s understanding of client’s business and transactions and events that have occurred since last audit
2) identify areas that represent specific risks relevant to audit
identify unusual transactions, amounts, events
auditor should develop expectations of relationships reasonably expected to exist

Question 63

Q

assessing risk of material misstatement - risk assessment procedures - observation and inspection

Answer

A

observation of entity activities and operations
inspection of documents, records
reading mgmt reports
physical observation of premises
auditor should remain alert when inspecting records or documents for arrangements or other information that may indicate the existence of related party relationships or transactions that management has not previously identified or disclosed to the auditor (bank and legal confirmations, BOD/AC meeting minutes)

Question 64

Q

examples of conditions and events that may indicate the existence of risks of material misstatement or significant unusual transactions that may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets:

Answer

A

operations in unstable economy
operations exposed to volatile markets
complex regulation
going concern, liquidity issues
achieving stated objectives only marginally
capital, credit constraints
changes in industry, supply chain
new products, services
expansion into new locations
reorgs
changes in key personnel
significant transaction with related parties
IC weaknesses
new financial reporting systems
past misstatements, errors
new accounting pronouncements
pending litigation
transactions that lack commercial or economic substance

Answer 65

A

Transactions

Account Balances

Presentation and Disclosure

Answer 66

A

Completeness

Offs (cut)

Valuation, allocation, & accuracy

Existence & Occurrence

Rights and Obligations

Understandability & Classification

Answer 67

A

-Existence & occurrence: Transactions and events that have been recorded or disclosed have occurred, and such transactions and events pertain to the entity.
-Completeness: All assets, liabilities, and equity interests that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included.
Liabilities/Expenses = Completeness, more risk that client understates. Test from source docs to ledger.
-Valuation/allocation/accuracy: Amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been appropriately measured and described.
-cutOff: Transactions and events have been recorded in the correct accounting period.
-Understandability & classification: Transactions and events have been recorded in the proper accounts.

Answer 68

A

-Existence. Assets, liabilities, and equity interests exist
Assets/Revenues = Existence, more risk that client overstates. Test from ledger to source docs.
-Rights and obligations. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity.
-Completeness. All assets, liabilities, and equity interests that should have been recorded have been recorded.
-Valuation/allocation/accuracy. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded.

Answer 69

A

-Existence & occurrence. Disclosed events and transactions have occurred
-Rights and obligations. Disclosed events and transactions pertain to the entity.
-Completeness. All disclosures that should have been included in the financial statements have been included.
-Understandability & classification. Financial information is appropriately presented and described and information in disclosures is clearly expressed
-Valuation/allocation/accuracy. Financial and other information is disclosed fairly and at appropriate amounts.

Answer 70

A

Completeness = “tracing” = trace sample of fixed assets from fixed asset schedule/FA requisition form to the GL; examine repair and maintenance expense for additions or disposals
Off(cut) = examine purchases and sales shortly before and after period end
Valuation/allocation/accuracy = recalculate depreciation to verify reasonableness
Existence & occurrence = “vouching” = vouch sample of receiving reports to vendor invoices to determine that items have been properly received and properly paid for
Understandability & classification = examine all charges made to repairs/maintenance expense to verify capitalization vs expense

Answer 71

A

treasury stock
stock transactions
board minutes
articles of incorporation
stock transfer agent
stock certificate
retained earnings

Answer 72

A

asset tagging
controls
observation
calculation
comingled goods
related accounts
quantity
presentation
analytical review
obsolete/damaged goods

Answer 73

A

segregation of duties
outside confirmations
physical inspection
cutoff
confirmations
reasonableness/appropriateness
knowledge/skill

Answer 74

A

bank confirmation (open/closed acct)
bank reconciliation
cutoff, i.e. bank statement

Answer 75

A

Authorization = supervisor/HR
recording = payroll dept
custody = treasurer

Completeness = “tracing” = trace timesheets to payroll report/register
Off(cut) = pull sample of timesheets before and after cutoff
Valuation/allocation/accuracy = confirm valuation of payroll expense on IS by comparing amounts recorded in payroll to total amount of checks issued and outstanding; compare labor rates to employee records; recalculate based on sample of payroll checks
Existence & occurrence = “vouching” = vouch payroll report back to entries made in payroll register back to sample of timesheets
Understandability & classification = review sample of paychecks and determine whether classified into proper expense item on IS

Answer 76

A

author = credit, i.e. sales order
custody = warehouse
reconcile = shipping, i.e. lading
recording = billing/AR/acctg, i.e. invoice & GL

Completeness = “tracing” = trace sample of sales orders to the shipping documents to sales invoices to sales journal
Off(cut) = compare sample of sales invoices shortly before and after cutoff with shipment dates and dates sales were recorded
Valuation/allocation/accuracy = compare prices to sales terms on invoices to ensure correct amount was computed
Existence & occurrence = “vouching” = vouch sales journal back to invoices back to shipping docs back to sales orders
Understandability & classification = “examine” = examine sample of sales invoices for proper classification into the appropriate revenue accounts

Answer 77

A

author = purchasing dept - approve/prepare PO
custody = warehouse
reconciliation = receiving dept - match with blind PO, prepare receiving report
recording = acctg/AP - receives outside doc/invoice, match to PO/receiving report, prepare and approve payment
cash disbursement = treasury dept - review docs, prepare checks/remittance advice, sign checks, mark voucher as paid, mail checks

Completeness = “tracing” = determine prenumbered listings of purchase orders/vouchers and trace PO/voucher samples to receiving reports to invoices (PO+receiving reports+ invoices = “VOUCHER PACKAGE”) to purchase journal
Off(cut) = determine that dates applied to vouchers/POs with dates that were recorded in sales journal; examine purchases immediately before and after cutoff
Valuation/allocation/accuracy = recalculate amounts recorded on vendor invoices
Existence & occurrence = determine if expenditures were properly authorized and properly presented on receiving report.
Understandability & classification = examine sample of purchases and determine whether they were properly classified

Answer 78

A

Significant risks are often derived from business risks that may result in a material misstatement AND SHOULD BE DOCUMENTED BY AUDITOR:
whether risk is risk of fraud
whether risk is related to recent significant economic, accounting or other developments therefore requiring special attention
complexity of transactions
whether risk involves significant transactions with related parties
degree of subjectivity in measurement of financial information, especially the degree of uncertainty
whether risk involves significant nonroutine transactions that are outside normal course of business or unusual
Routine, noncomplex, systematic transactions are less likely to be significant risks because they have lower inherent risk

Answer 79

A

Nature

Extent

Timing

Answer 80

A

1) emphasize to audit team the need to maintain professional skepticism in gathering an evaluating audit evidence
2) assign more experienced staff or those with specialize skills
3) provide more supervision
4) incorporate additional elements of unpredictability in the selection of audit procedures to be performed
5) make general changes to audit procedures, i.e. perform substantive procedures at period end rather than interim date
6) if there is a more effective control environment the auditor can have more confidence in internal control and the reliability of audit evidence generated internally
7) if there are weaknesses, the auditor may consider:
a) performing more audit procedures at period end rather than interim
b) seeking more extensive audit evidence
c) modifying audit procedures to obtain more persuasive audit evidence
d) increasing number of locations to include in scope
8) use substantive approach which emphasizes substantive procedures or use of combined approach which tests controls along with performance of substantive procedures
9) perform further audit procedures that are responsive to the risks of material misstatement at the relevant assertion level, considering:
a) significant of risk
b) likelihood that MM will occur
c) characteristics of class of transactions, account balance, or disclosure involved
d) nature of specific controls used by entity and whether they are manual or automated
e) whether auditor expects to obtain audit evidence to determine if controls are effective in preventing or detecting MM
f) results of data analytic output used to determine relationships and interpret results to provide basis for developing audit procedures
10) auditor’s assessment of identified risks at relevant assertion level provides basis for considering appropriate audit approach for designing and performing further audit procedures
11) regardless of approach, auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, balances, disclosures
12) auditor must specifically analyze transactions that have higher risk of MM from audit data analytic output by determining relationships among variables and interpreting results to provide a basis for developing planned audit procedures
13) for a smaller entity, auditor may rely less on authorization and approval for audit evidence regarding the validity of related party transactions and instead may consider performing other audit procedures (inspecting documents, confirmations)
14) nature of further audit procedures refers to their purpose (tests of controls or substantive procedures) and their type, that is, inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedures.
15) Certain audit procedures may be more appropriate for some assertions than others, i.e. for revenue, tests of controls may be more responsive to the assessed risk of misstatement of the completeness assertion, whereas substantive procedures for assessed risk of misstatement of the occurrence assertion.
16) higher auditor’s assessment of risk = more reliable and relevant evidence is sought
17) timing - when audit procedures are performed or the period or date to which the audit evidence applies.
18) higher risk of MM = more likely auditor will decide to perform substantive audit procedures nearer to period end date or unannounced
19) contrary argument is that performing audit procedures before the period end may assist the auditor in identifying significant matters at an early stage of the audit, and resolve w/mgmt or develop effective audit plan to address
20) If the auditor performs tests of the operating effectiveness of controls or substantive testing before the period end, the auditor should consider the additional evidence that is necessary for the remaining period
21) when considering when to perform audit procedures, consider:
a) effectiveness of control environment
b) when relevant info is available
c) nature of risk
d) period or date to which audit evidence relates
22) extent - quantity of a specific audit procedure to be performed; for example, a sample size or the number of observations of a control activity. determined by the judgment of the auditor after considering the materiality, the assessed risk of material misstatement, and the degree of assurance the auditor plans to obtain

Answer 81

A

1) risk of MM due to fraud
2) effectiveness of controls over JEs and other adjustments
3) financial reporting process and nature of evidence that can be examined
4) characteristics of fraudulent entries or adjustments
5) nature and complexity of accounts
6) JEs or other adjustments processed ouside of normal course of business

Answer 82

A

control risk = risk that material misstatement that could occur in a transaction or adjusting entries will not be prevented or quickly detected by internal controls (can be assessed by auditor, but cannot be changed/reduced by auditor)
inherent risk = susceptibility of transactions to be recorded in error or to be influenced by mgmt’s fraudulent activities (can be assessed by auditor, but cannot be changed/reduced by auditor)
audit risk = Risk that auditor expresses an inappropriate opinion when financial statements are materially misstated
detection risk = risk that material misstatement would not be caught by audit procedures
risk of material misstatement = auditor’s combined assessment of inherent risk and control risk (both exist independently of the audit of FS
risk of material misstatement and detection risk are inversely related: higher risk of MM = lower risk of detection risk that can be accepted by auditor

Answer 83

A

1) determining extent and nature of risk assessment procedures
2) identifying and assessing the risks of material misstatement
3) determining the nature, timing, extent of further audit procedures
4) evaluating whether the FS as a whole are fairly presented in all material respects in conformity with applicable reporting framework
5) obtaining reasonable assurance about whether the consolidated FS as a whole are free from material misstatement whether due to error or fraud

Answer 84

A

1) elements of FS (asset, liab, equ, income, exp) and the FS measures defined in GAAP
2) whether there are FS items on which users tend to be focused
3) nature of entity and industry and changing economic environment in which it operates
4) size, nature of ownership, way it’s financed
5) relative volatility of the benchmark

Answer 85

A

1) affects compliance with regulatory requirements, debt covenants, contractual requirements
2) relates to incorrect selection or application of accounting policy currently immaterial but expected to become material
3) masks change in earnings or other trends
4) affects ratios used to evaluate entity’s financial position
5) has effect of increasing mgmt’s compensation
6) is significant with regard to previous communications to users
7) related parties
8) omission of information not required by framework but is in auditor’s professional judgment to be important to users’ understanding of financial position
9) affects other information that will be communicated to users in audited FS
10) misclassification
11) too costly to correct
12) represents risk that other undetected misstatements would affect auditor’s evaluation
13) changes loss into income or vice versa

Answer 86

A

application of performance materiality to a particular audit sampling procedure and may be the same amount or an amount smaller than performance materiality.

Answer 87

A

Performance materiality = amount less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole.
auditor should determine one or more levels of performance materiality for classes of transactions, account balances, and disclosures.
Performance materiality is a planning concept related to the auditor’s determination of materiality for planning the financial statement audit in such a way that misstatements, combined for all of the tests in the entire audit, do not exceed materiality for the financial statements.
i.e. auditor should normally set performance materiality for a specific audit procedure at less than the financial statement materiality so that when the results of the audit procedures are aggregated, the required overall assurance is attained.

Answer 88

A

No reference is made to the CA when:
1) CA is associated with or retained by group audit engagement team
2) group audit partner is satisfied with CA’s work
3) portion of FS examined by CA is immaterial
Conditions for referencing component auditor (CA)
1) component’s FS are prepared using the same financial reporting framework, unless certain criteria are met
2) CA has performed audit that meets GAAS/PCAOB requirements
3) CA’s report is not restricted as to use
Group partner can make reference to CA in group report if:
1) group partner indicates dollar amounts audited by CA (total assets, revenues)
2) obtain CA’s permission to include name
3) presents CA’s report
4) if group partner chooses not to name the CA in the group report the group partner should indicate dollar amounts audited by CA (total assets, revenues)

Answer 89

A

1) group engagement team or component auditor should perform audit of component using materiality of component
2) group engagement team should be involved in risk assessments and should inquire about significant business activities, susceptibility of component to MM
3) group team should review component auditor’s documentation incl audit program and workpapers (to ascertain that sufficient appropriate audit evidence has been obtained)
4) If it isn’t possible to rely on work of CA, a qualified or disclaimed report may be appropriate
5) If CA’s report is qualified, the group partner must assess materiality to group FS as a whole

WHEN NOT TO USE CA WORK:
1) CA lacks independence relevant to group audit
2) group engagement team has concerns about ability to make reference or otherwise use work of CA; group engagement team ultimately responsible for obtaining sufficient appropriate evidence to support auditor report

Answer 90

A

1) Individually significant to the group financial statements = audit the financial information
2) Due to specific nature or circumstances, likely to include significant risks of material misstatement in the group financial statements = audit the financial information or one or more accounts, classes of transactions, or disclosures
3) if not significant, then analytical procedures at the group level may be appropriate

Answer 91

A

valuation (appraiser, FV experts)
amounts derived by specialized techniques (actuary)
quantity/conditions (engineers, geologists)
interpretation (attorney, regulatory experts)
NOT INTERNAL AUDIT

Answer 92

A

evaluate competence, capabilities, and objectivity
inquire regarding threats to objectivity
use variety of sources
obtain knowledge of qualifications, professional license, association, etc.
obtain agreement as to roles and responsibilities
include within scope of QC policies and procedures

Answer 93

A

auditor’s responsibilities:
establish agreement relating to nature, scope, objectives of work including form and content of specialist’s report
understand significant assumptions and methods used
specialist’s responsibilities:
appropriateness and reasonableness of methods and assumptions used and applications of procedures
accept findings of specialist and related FS assertions, unless auditor’s procedures determine findings are unreasonable

Answer 94

A

evaluating mgmt’s specialists SINCE ENGAGED BY MANAGEMENT NOT AUDITOR - consider objectivity, competency, capabilities of specialist
obtain work incl technical or professional standards
use variety of sources
inherent threats to objectivity SINCE ENGAGED BY MANAGEMENT NOT AUDITOR - evaluate specialist relationship with client (perform additional procedures, consider using auditor specialist to corroborate work)

Answer 95

A

1) may impact nature, timing, extent of audit procedures
2) may provide direct assistance in performing procedures (understanding IC, control risk assessment, substantive procedures)
3) responsibility for opinion cannot be shared with IA

Answer 96

A

1) obtain understanding of IA function, incl IC (status in org, nature/timing/extent of their work, limitations on scope of activities?)
2) identify IA activities that are relevant to audit
3) assess the competence and objectivity (education level, professional certification/experience)
4) may change or reduce work of independent auditor

Answer 97

A

NO and NO

Answer 98

A

YES YES YES

Answer 99

A

1) Many laws and regulations relate principally to the operating aspects of an entity, and therefore do not affect the financial statements and are not captured by the entity’s information system
2) Noncompliance may involve conduct designed to conceal it, such as collusion, forgery, or intentional misrepresentations made to the auditor.
3) A court of law, not the auditor, determines if an act constitutes noncompliance.

Answer 100

A

1) inquiring of mgmt and those charged with governance about whether the entity is in compliance with such laws and regulations
2) inspecting correspondence with relevant regulatory or licensing authorities

Answer 101

A

1) auditor should obtain understanding of nature of the act and circumstances in which it occurred
a) examine supporting documents and compare them to accounting records
b) confirm info with 3rd parties
c) determine whether transaction has been properly authorized
d) consider whether similar transactions have occurred and apply procedures to identify them
e) discuss with mgmt and those charged with governance
2) obtain further information to evaluate possible effect on FS
3) obtain sufficient appropriate audit evidence to form an opinion and report at the level specified in the governmental audit requirement about whether the entity complied in all material respects with applicable compliance requirements
4) identify audit and reporting requirements specified in governmental audit requirement and perform procedures to address those requirements
5) consult w/mgmt a level above those involved to obtain understanding of nature of act
6) consult with client’s legal counsel or other specialists if mgmt’ response is unsatisfactory

Answer 102

A

1) should issue qualified or adverse if determines noncompliance with laws/regulations has material effect of FS and that the act has not been properly accounted for or disclosed
2) should express qualified or disclaim opinion if precluded by client for obtaining sufficient appropriate audit evidence to evaluate whether noncompliance with laws/regulations that could be mateiral have occurred
3) should withdraw from engagement if client refuses to accept auditor’s report as modified and include reasons for withdrawal in writing to those charged with governance
4) determine whether you have the responsibility to notify outside parties of noncompliance
5) include description of noncompliance and results of discussions with those charged with governance as well as with 3rd parties in audit documentation

Answer 103

A

1) mgmt understands their responsibility for understanding and complying
2) mgmt acknowledges responsibility for design, implementation, maintenance of controls around compliance with governmental programs in accordance with compliance requirements
3) mgmt states that they have identified and disclosed to auditor all government programs and related activities subject to governmental audit requirement
4) mgmt states they have made available to auditor all contracts, grant agreements, correspondence relevant to programs related to governmental audit requirement
5) mgmt states all known noncompliance has been disclosed to auditor
6) mgmt states they believe entity has complied
7) mgmt has made all documentation available to auditor
8) mgmt understands responsibility for taking corrective action

Answer 104

A

1) differing interpretation of accounting principles
2) required complex or subjective judgment
3) assumptions about effects of future events
4) potential lack of consistency from period to period
5) management bias

Answer 105

A

1) complexity and subjectivity associated with process
2) availability and reliability of data
3) number and significance of assumptions made
4) degree of uncertainty associated with assumptions

Answer 106

A

1) recognized and disclosed accounting estimates are reasonable (related disclosures are adequate, are in accordance with applicable financial reporting framework)
2) obtain understanding of following as basis for risk identification and assessment:
requirements of applicable financial reporting framework
how mgmt identifies relevant transactions and events that require estimation for presentation or disclosure
how mgmt makes the estimates including what data the estimates are based on
method/model, controls, use of specialist, assumptions, changes in method/assumptions from prior

Answer 107

A

1) identify material related party transactions that could affect FS
2) common ownership or mgmt control relationships (obtain understanding of mgmt’s responsibilities, activities, relationships with entity components)
3) consider business purpose served by components
4) transactions should not be assumed to be outside of ordinary course of business, absent evidence to the contrary

Answer 108

A

1) borrowing or lennding interest free or below market rate
2) selling RE at price significantly different than FMV
3) nonmonetary exchanges
4) loans without written terms

Answer 109

A

1) lack of sufficient working capital or credit
2) urgent desire to improve earnings or stock price
3) overly optimistic forecasted earnings
4) concentrated dependence on few customers or products
5) declining industry, incl obsolete products/services
6) significant litigation

Answer 110

A

Security admin

Brainscape's Knowledge GenomeTM

Assessing Risk & Developing Planned Response Flashcards

Brainscape's Knowledge Genome^TM