AUD - Assessing Risk and Developing a Planned Response Flashcards
Purpose of an audit
The auditor’s primary role is to provide an impartial (independent) report on the reliability of management’s financial statements
The purpose of an audit is to provide financial statement users w/an opinion by the auditor on whether the financial statements are presented fairly, in all material respects, in accordance w/the applicable financial reporting framework.
A firm must have annual inspections by the PCAOB only if
it conducts more than 100 audits of public companies
The audit partner in charge of an audit of a public company may only
Perform that role for 5 consecutive years
6 Elements of Quality Control
- Leadership responsibilities for quality within the firm (policies/procedures should promote an internal culture that emphasizes commitment to quality)
- Relevant ethical requirements (policies/procedures should address the independence of personnel as necessary)
- Acceptance and continuance of client relationships and specific engagements (policies/procedures should carefully assess the risks associated w/each engagement)
- Human resources (policies/procedures should address important personnel issues)
- Engagement performance (policies/procedures should focus on compliance w/all applicable firm and professional standards and regulatory requirements)
- Monitoring (policies/procedures should provide an ongoing assessment of the adequacy of the system of quality control)
The Statement on Auditing Standards (SASs) constitute GAAS and must
be followed by auditors when AICPA auditing standards are applicable
Engagement partner
The person in the firm who is responsible for:
- audit engagement and its performance
- auditor’s report
Overview of the audit process
- Engagement planning (decide whether to accept the engagement, perform risk assessment, write an audit plan)
- Internal Control Considerations (Obtain an understanding of internal control for planning purposes as required)
- Substantive Audit Procedures (Evidence gathering procedures whose purpose is to detect material misstatements, if there are any)
- Reporting (Conclusions are expressed in writing)
Under Title II of the Sarbanes-Oxley Act, the auditor of an issuer cannot legally perform…
internal audit outsourcing services
Compilation
When the CPA is engaged simply to assemble into financial statement format the financial records of a private company and issue a compilation report without expressing any degree of assurance on the reliability of those statements
Preparation engagement
When the CPA is engaged to prepare the financial statements of a private company w/out expressing any form of assurance
Review
When the CPA is engaged to provide a lower level of assurance (relative to that of an audit) on financial statements of a private company by performing limited procedures…
5 primary responsibilities of the PCAOB
- Registration of public accounting firms
- Inspections of registered public accounting firms (PCAOB is directed to conduct a continuous program of inspections that assess compliance w/SOA, PCAOB rules, SEC rules and all applicable professional standards)
- Standard setting
- Enforcement
- Funding
Preconditions for an audit
The use by management of an acceptable financial reporting framework in the preparation of the financial statements and the agreement of management to the premise on which an audit is conducted
In other words, mgmt is responsible for the fair presentation of financial statements and the design/implementation of effective internal control over financial reporting
Analytical Procedures
Evaluations of financial information through analysis of plausible relationships among both financial and nonfinancial data
Audit Data Analytics (ADAs)
Analysis of patterns, IDing anomalies, and extracting other useful info in data underlying/related to the subject matter of an audit through analysis, modelling etc -> this is all for the purpose of planning or performing the audit
5 step process applicable to using ADAs
- Plan the ADA
- Access and prepare the data for purposes of the ADA
- Consider the relevance and reliability of the data used
- Perform the ADA
- Evaluate the results and decide whether the purpose and specific objectives have been achieved
Notable Item
An item that has 1 or more characteristics that, for the relevant assertions, may do the following:
- Be indicative of a risk of material misstatement that (i) was not previously IDed (a new risk) or (ii) is higher than originally assessed by the auditor
- Provide info that is useful in designing or tailoring procedures to address risks of material misstatement
test of controls
A test of control describes any auditing procedure used to evaluate a company’s internal controls. The aim of tests of control in auditing is to determine whether these internal controls are sufficient to detect or prevent risks of material misstatements.
control risk
Control risk is the risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company’s internal control.
Auditor’s specialist
an individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the auditor to assist the auditor in obtaining sufficient appropriate audit evidence
Management’s specialist
an individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the financial statements
“Those Charged with Governance”
The persons or organization(s) w/responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity
The auditor’s objectives are to…
- communicate to the audit committee the auditor’s responsibilities regarding the audit and establish an understanding of the terms of the audit engagement w/the audit committee
- obtain information from the audit committee relevant to the audit
- Communicate to the audit committee info about the strategy ad timing of the audit
- PRovide the audit committee w/timely observations about the audits that are significant
critical accounting estimate
an accounting estimate where:
- the nature of the estimate is material due to the levels of subjectivity and judgment necessary to account for highly uncertain matters
- the impact of the estimate on financial condition or operating performance is material
critical accounting policies and practices
a company’s accounting policies and practices that are both most important to the portrayal of the co
When performing Tests of Controls…
Select a sample of transactions and verify that the control procedures of interest were performed on the transactions in the sample which usually requires that the control procedure be documented as it is performed
Wholy substantive audit (also known as substantive audit procedures)
This entails no reliance on internal control (which means the same thing as assessing control risk at the max level)
In other words, the auditor plans to meet the audit risk objectives by performing only substantive audit procedures w/out any expectation about the operating effectiveness of internal control
No Tests of Control would be performed
4 main phases in evaluating internal control
- Obtain an understanding of internal control
- Make a preliminary evaluation about the reliance on internal controls (consider the adequacy of internal control and cost benefit issues)
- Perform the appropriate tests of control if reliance is planned
- Re-evaluate that reliance based on results of the tests of control
Internal control
a process (effected by those charged w/governance, management, and other personnel) that is designed to provide reasonable assurance about the achievement of the entity’s objectives w/regard to the reliability of financial reporting, effectiveness, and compliance w/applicable laws and regulations
Negative/limited assurance
Negative assurance is a confirmation from an auditor that certain facts are accurate because there is no evidence to the contrary. When positive assurance (the proof of facts) is not applicable, negative assurance is used. The purpose of negative assurance is to confirm that no fraud or violations have been found.
**Note, negative/limited assuance is used in reviews
“Nothing came to my attention that makes me believe that there is a misstatement”
Postive assurance
Positive assurance is the affirmation that a Certified Public Accountant believes a something to be true or correct.
**When you do audits, you do positive assurance
E.g. Issuing an opinion that the financial statements are presented fairly in conformity with U.S. GAAP is an example of a CPA providing positive assurance.
Initial audits
Initial audit refers to when the prior year’s financial statements have been audited by a different auditor (referred to as the predecessor auditor)
Q: What if the auditor believes that the financial statements covered by the predecessor’s report require revision?
A: The auditor should try to arrange a 3way meeting involving himself, the predecssor, and entity mgmt. If mgmt refuses to meet to discuss issues related to the appropriateness of previously issued financial statements, the auditor should consider those matters in deciding whether to accept the engagement.
Materiality in auditing
Materiality in auditing = an understanding of what’s important in financial reporting based on the auditor’s perception of the users’ needs
The determination of materiality involves both quantitative (the relative magnitude of the items in question) and qualitative (the surrounding circumstances)
audit risk
The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated
Risk of material misstatement
The risk that the financial misstatements are materially misstated prior to the audit
3 components of audit risk
- inherent risk
- control risk
- detection risk
Audit risk = inherent risk x control risk x detection risk
inherent risk
the probability that a material misstatement would occur in the paticular audit area in the absence of any internal control policies/procedures
control risk
The probability that a material misstatement that occurred in the 1st place wouldn’t be detected and corrected by internal controls that are applicable
Detection risk
The probability that a material misstatement that wasn’t prevented/detected and corrected by internal control wasn’t detected by the auditor’s substantive audit procedures
The essence of the auditor’s responsibility is to…
obtain reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error
The auditor should always document any identified or suspected noncompliance
Unmodified opinion
Unmodified opinion = unqualified opinion
In other words, auditor believes that the financial statements are presented fairly in all material respects
Specialist
AICPA and PCAOB have similar definitions: a specialistis a person (or firm) possessing special skill or knowledge in a particular field other than accounting or auditing
Those Charged with Governance
The people or organizations w/responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity (encompasses the term “BoD” or “audit committee” used elsewhere in the auditing standards)
Mgmt: The person/people w/executive responsibility for the conduct of the entity’s opreations
Matters required to be communicated w/Those Charged with Governance
- The auditor’s responsibilities under GAAS
- The planned scope and timing of the audit
- Significant findings from the audit
- Uncorrected misstatements
- Other matters
Audit committee
A committee established by and among the BoD of a company for the purpose of overseeing the accounting and financial reporting processes of the company and audits of the financial statements of the company
If no such committee exists within the company, then the BoD is the audit committee in that situation
Critical accounting estimate
An accounting estimate where
- the nature of the estimate is material due to the levels of subjectivity and judgment necessary to account for highly uncertain matters or the susceptibility of such matters to change and
- the impact of estimate on financial conditions or operating performance is material
Critical Accounting policies and practices
A company’s accounting policies and practices that are both most important to the portrayal of the company’s financial conditions and results, and require mgmt’s most difficult, subjective, or complex judgments, often as a result of the need to make estimates about the effects of matters that are inherently uncertain
Internal control consists of 5 interrelated components
- Control environment (policies/procedures taht determine th eoverall control of the entity, “tone at the top”)
- Risk assessment - The policies and procedures involving the IDing, priortiziation, and analysis of relevant risks as a basis for managing those risks
- Information and communication systems
- Control activities - authorization, segregation of duties, performance reviews, info processing, and physical controls
- Monitoring - The policies/procedures involving the ongoing assessment of the quality of internal control effectiveness over time
Auditor should identify and assess the risks of material misstatement…
- At the financial statement level; and
- At the relevant assertion level related to classes of transactions, account balances, and disclosures
Substantive Procedures
Substantive procedures are the method or audit tests designed by an auditor to evaluate the financial statements of the company which require an auditor to create conclusive evidence for verifying the completeness, accuracy, existence, occurrence, measurement, and valuation (audit assertions) of the financial records of the business.
IT systems leave no audit trails
Significant deficiency
A deficiency (or combination of deficiencies) in internal control that is less severe than material weakness, yet important enough to merit attention by those charged w/governance
Material weakness
A deficiency (or combo of deficiencies) in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis
Significant deficiences are less severe than material weakness, but still important enough to merit attention by those charged w/governance
The external auditor may use the internal function to…
- Obtain audit evidence that modifies the nature, timing, or extent of audit procedures to be performed by the external auditor; and/or
- provide direct assistance to the external auditor under the external auditor’s direction, supervision, and review
3 necessary conditions before the external auditor may use the internal audit function to obtain audit evidence
- Objectivity
- Competence
- Systematic and disciplined approach
Internal audit function
A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes
Using the internal audit function to provide direct assitance means…
using internal auditors to perform audit procedures subject to the external auditor’s direction, supervision, and review
2 necessary conditions before the external auditor may use the internal audit function to provide direct asstiance
- Objectivity
- Competence
If an auditor has to audit an entity that processes most of its financial data only in electronic form (paperless system), he would most likely use the strategy of
continuous monitoring and analysis of transaction processing w/an embedded audit module
Independent auditor may allow the internal auditor to perform tests of controls
Risk assessment
Audit risk assessment procedures are performed to obtain an understanding of your company and its environment, including your company’s internal control, to identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error
The work performed by each assistant should be reviewed to determine whether it was adequately performed and…
to evaluate whether the results are consistent w/the conclusions to be presented on the auditor’s report
The objective of analytical procedures used near completion of the audit address whether…
the financial statements are consistent w/the auditor’s understanding of the company
Material weakness leads to an
adverse opinion on internal control
In assessing the objectivity of internal auditors, an independent auditor should
Determine the organizational level to which the internal auditors report
The logic is that the CPA should consider organizational status and policies for maintaining objectivity
distributed data processing system
a processing system in which there is a network of remote computer sites, each having a computer connected to the main computer system (which allows access to the computers by various levels of users)
Comparing the current year’s slaes to that of the prior year is an analytical procedure at a high level of aggregation that would normally be done in
planning the audit
Analytical procedure is used to…
gather evidence with respect to relationships among various accounting and nonaccounting data
Substantive testing
Substantive testing is an audit procedure that examines the financial statements and supporting documentation to see if they contain errors. These tests are needed as evidence to support the assertion that the financial records of an entity are complete, valid, and accurate.
Examples:
- Issue a bank confirmation to test ending cash balances
- Contact customers to confirm that accounts receivable balances are correct
- Observe the period-end physical inventory count
- Confirm the validity of inventory valuation calculations
- Confirm with experts that the fair values assigned to assets obtained through a business combination are reasonable
- Physically match fixed assets to fixed asset records
- Contact suppliers to confirm that accounts payable balances are correct
- Contact lenders to confirm that loan balances are correct
- Review board of directors minutes to verify the existence of approved dividends
An auditor should obtain sufficient knowledge of the entity’s risk assessment process to understand how mgmt considres risks relevant to financial reporting objectives and decide about actions to address those risks -> that knowledge might include…
- understanding of how mgmt identifies risks
- understanding how mgmt estimates the significance of risks
- understanding how mgmt assesses the likelihood of their occurrence and relates them to financial reporting
Which of the following is not a procedure performed primarily for the purpose of expressing an opinion on the financial statements, but may bring possible illegal acts to the auditor’s attention?
Answer: Review of policies concerning effectiveness of mgmt decision making policies
This answer is correct because the review of effectiveness of decision making policies is not a procedure when expressing an opinion on the financial statements. External auditors are primarily concerned with internal controls that affect recording, processing, summarizing, and reporting financial data.
To establish illegal “slush funds,” corporations may divert cash received in normal business operations. An auditor would encounter the greatest difficulty in detecting the diversion of proceeds from
A: scrap sales
This answer is correct because scrap sales are generally irregular in nature and these sales often are inadequately controlled by the internal control.
This lack of adequate internal control makes it difficult for the auditor to detect any irregularities.
Before accepting an engagement to audit a new client that has previously been audited by another CPA firm, a CPA is required to obtain
A: The prospective client’s consent to make inquiries of the predecessor
This answer is correct because a CPA should obtain the prospective client’s consent to make inquiries of the predecessor; ordinarily, such inquiries are then made.
Auditors try to identify predictable relationships when using analytical procedures. Relationships involving transactions from which of the following accounts most likely would yield the highest level of evidence?
A: interest expense
Estimation of interest expense, based on interest rates and principal balances, would most likely yield the highest level of evidence because the relationship is highly predictable.
Relationships involving P/L accounts are more predicable than relationships involving BS accounts because P/L accounts involve transactions occurring over a period of time rather than at a point in time.
fraud risk factors do not necessarily indicate the existence of fraud, they often have been observed in circumstances where frauds have occurred.
Which of the following procedures would an auditor most likely perform in planning a financial statement audit?
A: comparing the financial statements to anticipated results
The requirement is to identify the audit procedure that an auditor will most likely perform during risk assessment for a financial statement audit. AU-C 315 requires that an auditor perform analytical procedures such as comparing the financial statements to anticipated results during the planning stage of an audit.
Before accepting an audit engagement, a successor auditor should make specific inquiries of the predecessor auditor regarding the predecessor’s
A: Understanding as to the reasons for the change of auditors
The requirement is to identify the correct statement regarding a successor auditor’s inquiries of the predecessor auditor. Answer (b) is correct because the successor should request information such as (1) facts that might bear on the integrity of management, (2) disagreements with management as to accounting principles, auditing procedures, or other significant matters, and (3) the predecessor’s understanding of the reasons for the change of auditors.
In using the work of a specialist, an auditor may refer to the specialist in the auditor’s report if, as a result of the specialist’s findings, the auditor
A: adds an emphasis-of-matter paragraph to the auditor’s report to emphasize an unusually important subsequent event
This answer is correct because the specialist is only referred to when that report directly relates to a matter resulting in modification of the report—here an important subsequent event.
It might also involve a case in which a specialist’s valuation differs from management’s valuation.
Which of the following would an auditor most likely use in determining the auditor’s preliminary judgment about materiality?
A: the entity’s annualized interim financial statement
This is correct because many materiality measures relate to an annual figure (e.g., net income, sales).
requirements for engagement letters, specifically states that an engagement letter should include, among other matters, identification of the applicable financial reporting framework used to prepare the entity’s financial statements.
Detection risk differs from both control risk and inherent risk in that detection risk
A: Can be changed at the auditor’s discretion
This answer is correct because auditors determine an appropriate level of detection risk based on their assessment of the risk of material misstatement composed of inherent risk and control risk.
With respect to planning an audit, which of the following statements is always true?
A: It’s acceptable to perform a portion of the audit of a continuing audit client at interim dates
It is acceptable for an auditor to perform a certain portion of the audit at an interim date; for example, performing a portion of planning prior to year-end is always acceptable for a continuing client. Also, when a new client has engaged an auditor prior to year-end, a portion of the audit may be conducted prior to year-end.
analytical procedures involve an assumption of the existence of a plausible relationship among financial and nonfinancial information
In general, material fraud perpetrated by which of the following are most difficult to detect?
A: controller
A fraud committed by the controller is most difficult to detect because the controller is in control of the recordkeeping function and thus may be able to commit a fraud and then manipulate the accounting records so as to make its discovery unlikely.
Which of the following activities is most likely to be performed near completion of an audit to ensure that the financial statements are free from material misstatement?
A: Comparing the current year’s financial statements w/those of the prior years
This answer is correct because these procedures are used by an auditor when forming an overall conclusions about whether the financial statements are consistent with the auditor’s understanding of the entity and comparing current year financial statements with those of the prior year will help the auditor to determine whether the amounts seem reasonable.
What is an auditor’s responsibility who discovers management involved in financially immaterial fraud?
A: report the fraud to the audit committee
AU-C 240 requires that all management fraud, regardless of materiality, be reported to the audit committee.
fraud risk factors may be identified during planning, obtaining an understanding, or while conducting fieldwork; in addition, they may be identified while considering acceptance or continuance of clients and engagements.
When such transactions are few in number and involve large dollar amounts, it is likely that an audit trail would exist, which would support the auditor’s substantive tests.
Inadequate accounting records may cause an auditor to conclude that it is unlikely that sufficient appropriate evidence will be available to support an opinion on the financial statements; accordingly, an auditor may determine that the financial statements are not auditable.
When applying analytical procedures during an audit, which of the following is the best approach for developing and evaluating expectations?
A: IDing reasonable explanations for unexpected differences before talking to client management
This answer is correct because identifying reasonable explanations for unexpected differences before talking to client management will help the auditor to consider why the differences might have occurred and the reasonableness of management’s replies.
Missing documents may be indicative of fraud.
Comparing the financial statements to anticipated results is an analytical procedure, which would most likely be performed in planning a financial statement audit.
Analytical procedures are required to be performed during planning and the comparison of actual to budget is a commonly performed analytical procedure.
Detection risk, the risk that audit procedures will not detect a material misstatement, increases due to the three months between confirmation and year-end.
Decreasing the tolerable amount of misstatement will require the auditor to do one or more of the following:
(1) perform auditing procedures closer to the balance sheet date (answer [b]);
(2) select a more effective auditing procedure; or
(3) increase the extent of a particular auditing procedure.
AU-C 315 and AU-C 520 require the use of analytical procedures at both the risk assessment and near completion of the audit, but not as a substantive procedure.
Analytical procedures assume that plausible relationships among data may reasonably be expected to exist and continue in the absence of known conditions to the contrary.
For this reason, data can be used to predict future balances against which recorded balances may be compared.
Auditors do not generally initiate a discussion on materiality, although they do occasionally respond to such questions.
Early appointment of the independent auditor will enable a more efficient audit to be planned
In using the work of a specialist, an understanding should exist among the auditor, the client, and the specialist as to the nature of the work to be performed by the specialist. Preferably, the understanding should be documented and would include all of the following except
A: A statement that the methods or assumptions to be used aren’t inconsistent w/those used by the client
Analytical procedures used in planning the audit should focus on
(1) enhancing the auditor’s understanding of the client’s business and the transactions and events that have occurred since the last audit and
(2) identifying areas of specific risk to the audit.
An auditor’s decision whether to apply analytical procedures as substantive tests usually is determined by the
A: precision and reliability of the data used to develop expectations
This answer is correct because, to have value in substantiating the assertions in an account, the data used should be reliable and precise enough to provide the desired level of assurance.
in assessing competence of an internal auditor, an independent CPA will consider the quality of working paper documentation as well as a variety of other factors outlined in AU-C 610
Which of the following statements is correct concerning an auditor’s communication on internal control related matters noted in an audit of a nonpublic company?
A: The auditor may choose to communicate significant control-related matters either during the course of the audit or up to 60 days after the audit report release date
Which of the following statements regarding auditor documentation of the client’s internal control is correct?
A: No one particular form of documentation is necessary, and the extent of documentation may vary
An auditor assesses control risk because it
Affects the level of detection risk that the auditor may accept
In planning an audit, an auditor should document in the working papers the auditor’s risk assessment of a material misstatement of the financial statements due to fraud. Which of the following should be included in workpaper documentation if risk factors are identified as being present?
A: Those risk factors identified
AICPA Professional Standards specifically require that the documentation regarding the auditor’s risk assessment related to fraud include the identified and assessed risks of material misstatement due to fraud
substantive analytical procedures are substantive tests which can aid in the detection of material errors by identifying unexpected fluctuations or the absence of expected fluctuations in the relationships between data.
Which of the following factors is most likely to affect the extent of the documentation of the auditor’s understanding of a client’s system of internal controls?
A: to degree to which information technology is used in the accounting function
This answer is correct because differences in information technology use will have a major effect. For example, documentation of the understanding of a complex information system with a large volume of transactions may include flowcharts, questionnaires, and/or decision tables; documentation for an information system with limited or no use of IT and few transactions may be in the form of a memorandum.
Increasing analytical procedures decreases detection risk in a manner which may counterbalance the condition in internal control.
In effect, the weakness in internal control is compensated for by increased substantive testing
Assessing control risk at a low level most likely would involve
A: identifying specific controls relevant
Assessing control risk at a low level involves
(1) identifying specific controls relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions, and
(2) performing tests of controls to evaluate the effectiveness of such controls.
Analytical procedures performed near the end of an audit suggest that several accounts have unexpected relationship
When unexpected relationships exist, additional tests of details are generally required to determine whether misstatements exist.
Analytical procedures used in the overall review stage of an audit generally include
Considering unusual or unexpected account balances that weren’t previously identified
A “direct effect” illegal act is one that would have an effect on the determination of financial statement amounts
Tests of controls directed toward effectiveness or operation of a control would ordinarily include inquiries, inspections of documents, observation, and reperformance of the application of a control
An increase in the extent of tests of details (a type of substantive test) will decrease detection risk, which is appropriate when there is an increase in control risk
risk assessment procedures are performed to assess the risk of material misstatement throughout the financial statements.
An auditor assesses the organizational status of the director of internal audit as a method of addressing the function’s likely independence from management
A control deficiency is a condition in which the operation of a control does not allow management, or employees, in the normal course of performing their functions to prevent or detect misstatements on a timely basis—it does not explicitly consider likelihood of loss.
An auditor uses the risk of material misstatement to determine the acceptable level of detection risk for financial statement assertions.
The auditor then uses the acceptable level of detection risk to determine the nature, timing, and extent of the auditing procedures to be used to detect material misstatements in the financial statement assertions.
An auditor may communicate significant deficiencies either during an audit or after the audit’s completion.
Which of the following is required documentation in an audit in accordance with generally accepted auditing standards?
A: an audit plan
tests of controls are only performed on controls that the auditor plans to consider is assessing the risk of material misstatement.
independent auditor responsibility cannot be shared with the internal auditors for any judgments