AUD 3 - Engagement Acceptance, Planning, and Risk Assessment

Question 1

What are the required contents for an engagement letter for an audit?

Answer 1

1. The objective and scope of the audit.
2. The responsibilities of the auditor.
3. The responsibilities of mngt.
4. A statement that bc of the inherent limitations of an audit and IC, there is an unavoidable risk that some material misstatements may not be detected.
5. Identification of the applicable financial reporting framework.
6. Reference to the expected form and content of any reports.

Question 2

What are the requirements for communication with predecessor auditors for initial audits?

Answer 2

The auditor should make oral or written inquiries of the predecessor auditor before accepting an engagement regarding info that might bear on mngt integrity, disagreements with mngt, the predecessor’s understanding as to the reasons for the change of auditors, and communication regarding fraud, noncompliance, and IC matters.

Question 3

What is the audit plan based on and what does it outline?

Answer 3

It is written. It is based on the audit strategy and outlines the nature (factors that determine the focus of the audit; “type”), extent (“scope” of the audit), and timing (reporting objectives, audit timing, and required communications; “when”) of the procedures to be performed during the audit.

Question 4

What are tests of control and substantive procedures?

Answer 4

1. Tests of control are used to evaluate the operating effectiveness of Internal Controls in “preventing” and “detecting” material misstatements.
2. Substantive procedures are used to detect material misstatements. They include “tests of details” (as applied to transaction classes, account balances, and disclosures) and substantive “analytical procedures.”

Question 5

What are the 6 main f/s assertions?

Answer 5

“COVERU”

1. Completeness
2. cutoff
3. Valuation, allocation, and accuracy
4. Existence and occurrence
5. Rights and obligations
6. Understandability and classification

Question 6

What do PCAOB standards state that the f/s assertions are?

Answer 6

The PCAOB assertions are "CEO APROVED"
1. Completeness
2. Existence
3. Occurrence
4. Allocation
5. Presentation
6. Rights
7. Obligations
8. Valuation
    E
9. Disclosure

Question 7

What are relevant assertions, and which are included under (1) transactions and events, (2) account balances, and (3) presentation and disclosure?

Answer 7

Assertions that have a meaningful bearing on whether an account, transaction, or disclosure is fairly stated.

1. “COVEU” Completeness; cutOff; Valuation, allocation, and accuracy; Existence and occurrence; Understandability and classification.
2. “CVER” Completeness; Valuation, allocation, and accuracy; Existence and occurrence; Rights and obligations.
3. “CVRU” Completeness; Valuation, allocation, and accuracy; Rights and obligations, and occurrence; Understandability and classification.

Question 8

What do you do for the risk of the overstatement of assets and revenues and for the risk of understatement of liabilities and expenses?

Answer 8

1. Vouch down: Test for: Existence, Support, and Occurrence.
2. Trace up: Test for: Completeness and Coverage.

Question 9

What is audit risk?

Answer 9

The risk that the auditor may unknowingly fail to appropriately modify the opinion on f/s that are materially misstated.

Question 10

In addition to unintentional errors or intentional fraud, what three categories can misstatements be further broken down into?

Answer 10

1. Factual misstatements: about which there is no doubt.
2. Judgmental misstatements: differences arising from the judgments of mngt concerning acct estimates that the auditor considers unreasonable or the selection and application of acct policies that the auditor considers inappropriate.
3. Projected misstatements: the auditor’s best estimate of misstatements in populations, involving the projection of misstatements identified in audit samples to the entire population from which the samples were drawn.

Question 11

What is audit risk comprised of?

Answer 11

Audit risk is comprised of the risk that the f/s are materially misstated (risk of material misstatement “RMM”) and the risk that the auditor will not detect such misstatements (detection risk “DR”).

Question 12

What is the RMM subdivided into?

Answer 12

“IR * CR”

1. Inherent risk: the susceptibility of a relevant assertion to a material misstatement, assuming there are no related controls. (Client’s acct system has errors - prevent).
2. Control risk: the risk that a material misstatement that could occur in a relevant assertion will not be prevented or detected (and corrected) on a timely basis by the entity’s internal control. (Client’s IC does not catch it - detection).
   * The auditor generally cannot change these risks; assessed by auditor.

Question 13

Describe detection risk.

Answer 13

Risk the auditor will not detect a material misstatement that exists in a relevant assertion. It is a function of the effectiveness of audit procedures and of the manner in which they are applied. (Auditor makes the mistake (error or fraud) and gives wrong opinion - CPA controls). It can be subdivided into tests of details risk (“TD”) and substantive analytical procedures risk (“AP”). Deals with nature, extent, and timing “NET.”

Question 14

What is the audit risk formula?

Answer 14

AR = RMM (assessed by auditor) * DR (controlled by auditor) -> AR = [(IR * CR) * DR]

Question 15

What is the relationship between RMM and DR and/or RMM and substantive procedures?

Answer 15

There is an inverse relationship b/w RMM and DR. There is a direct relationship b/w RMM and the assurance required from substantive procedures - greater risk requires more persuasive evidence, a larger sample size, and/or a shift from interim to year-end testing. In other words, as the acceptable level of DR decreases, the assurance provided from substantive procedures should increase, and vice versus.

Question 16

What are the series of steps an auditor performs in assessing the risks of material misstatements and responding appropriately to that risk?

Answer 16

“IM A CPA”

1. Internal control, entity, and environment (assessing IR and CR) - obtain an understanding.
2. Material misstatement - assess the risk.
3. Assessed level of risk response (respond to by designing further audit procedures).
4. Control testing (test IC to determine if they operating effectively).
5. Perform substantive testing.
6. Audit evidence - evaluate appropriateness and sufficiency.

Question 17

The auditor’s understanding of the entity’s IC allows the auditor to make a preliminary assessment of what, and the auditor’s understanding of industry, regulatory, and other factors, the nature of the entity, the entity’s objectives strategies, and business risks, and the entity’s financial performance aid the auditor in assessing what?

Answer 17

1. The entity’s control risk.

2. The entity’s inherent risk.

Question 18

What is the determination of significant accounts and disclosures and their relevant assertions based upon?

Answer 18

Inherent risk, without regard to the effect of controls.

Question 19

What should the determination of whether risk is a significant risk ignore, and what should it be based entirely on?

Answer 19

It should ignore the effects of control related to the risk, and should be based entirely on inherent risk.
Note: a significant risk exists when inherent risk is exceptionally high.

Question 20

What three categories are an entity’s objectives divided into, and which is most relevant to the audit?

Answer 20

1. Reliability of financial reporting (most relevant to the audit) (=f/s fraud/lying)
2. Effectiveness and efficiency of operations (=asset misappropriation/stealing)
3. Compliance with applicable laws and regulations (=corruption/cheating)

Question 21

The COSO framework for internal control consists of five interrelated components. The components represent means used by an entity to help it achieve its objectives. What are they?

Answer 21

It’s a “CRIME” not to have a strong IC.

1. Control environment - the overall tone of the organization.
2. Risk assessment - management’s identification of risk.
3. Information and communication systems - a means of recording transactions and communicating responsibilities.
4. Monitoring - assessment of internal control performance over time.
5. Existing control activities - control policies and procedures (that help ensure that mngt directives are carried out and that necessary steps to address risks are taken).

Question 22

What are the control activities in a strong system of internal control?

Answer 22

Strong internal control has “PAID TIPS”

1. Prenumbering documents (completeness and existence).
2. Authorization of transactions.
3. Independent checks to maintain asset accountability.
4. Documentation.
5. Timely and appropriate performance reviews.
6. Information processing controls (application controls for individual transactions and general controls for info processing throughout the company).
7. Physical controls for safeguarding assets.
8. Segregation of duties.

Question 23

For proper segregation of duties, what functions should not be combined?

Answer 23

“Segregation of duties” is your ARC to protect against a flood of troubles.

1. Authorization
2. Record keeping
3. Custody of related assets

Question 24

What are preventative and detective controls designed to do?

Answer 24

Preventive controls are designed to provide reasonable assurance that only valid transactions are recognized, approved, and submitted for processing. Most are applied before the processing activity occurs. Detective controls are designed to provide reasonable assurance that errors or irregularities are discovered and corrected on a timely basis. They are normally performed after processing has been completed. (RMM)

Question 25

What documentation is included in the required documentation of the auditor’s understanding of internal control?

Answer 25

Documentation may include any item the auditor can FIND.

1. Flowchart (symbolic diagram representing the sequential flow of authority, processes, and documents; depicts auditor’s understanding of IC system; system and program flowcharts).
2. Internal control questionnaire or checklists (used for each assertion of mngt, so as to “COVER U.”).
3. Narrative (written version of flowchart; more appropriate for less complex structures).
4. Documentation from the client, including copies of the entity’s procedures manuals and organizational charts.

Question 26

What are service auditor reports, and what are the two types of reports a service auditor may provide?

Answer 26

Service organizations often have an auditor perform an attestation examination engagement to report on the controls of the service organization that are relevant to the user entities’ internal control over financial reporting.

1. Type 1 report: a report on the design and implementation of a service organization’s controls. It does not provide assurance on the operating effectiveness of the controls; does not provide the user CPA with a basis for reducing the assessment of control risk.
2. Type 2 report: a report on the design, implementation, and operating effectiveness of a service organization’s controls; may provide evidence that would allow a reduction in the assessed level of control risk.

Question 27

What three elements of further audit procedures can be varied by the auditor? Describe each.

Answer 27

We cast our “NET” over the audit:

1. Nature: the nature of an audit procedure includes both its purpose (test of control vs. substantive procedure) and its type (inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedure).
2. Extent: the extent of an audit procedure refers to the quantity to be performed, such as the number of observations to be made or the sample size to be used.
3. Timing: audit tests may be performed at an interim date (strong) or at period end (weak).

Question 28

What may an auditor’s specific approach to identified risks at the relevant assertion level consist of?

Answer 28

1. A substantive approach: for certain relative assertions and risks, only substantive procedures will be performed. This occurs when control risk is assessed a maximum bc there are no effective controls relative to the specific assertion, the implemented controls are assessed as ineffective, or it would not be efficient to test the operating effectiveness of controls (no strong controls to rely upon; cost/benefit relationship; do not test “controls” if ineffective at reducing substantive testing); (unless heavy use of IT- needs test of controls).
2. Combined approach: both tests of operating effectiveness of controls and substantive procedures are used. Typically, if controls are operating effectively, less assurance will be required from substantive procedures (substantive tests are always required for each material transaction, account balance, or disclosure item).