AUD Pt II - Assessing Risk and Developing Planned Response Flashcards
What is the high-level audit planning process? (6 steps)
1) Understand the entity and its environment, including internal controls
2) Perform risk assessment procedures
3) Set materiality
4) Assess Risk of Material Misstatement, whether due to fraud or error, at the F/S level and relevant assertion levels
5) Develop an overall audit strategy and response to respond to risks at the F/S level
6) Build a detailed audit plan with further audit procedures to respond to risks at the relevant assertion level
What 4 things does an overall audit strategy contain?
1) Description of engagement characteristics
2) Reporting Objectives of Engagement
3) Important factors for team’s focus
4) Overall audit response to RMM
How does an audit strategy help an auditor?
Helps auditor to determine NTE, allocate, and supervise required resources and further procedures
When does audit planning begin and end?
Begins at acceptance and continues through the engagement
What are continuing documentation requirements for audit planning?
Document any revisions and changes to strategy and plan
What three different types of audit procedures are included in the detailed audit plan?
Risk Assessment Procedures
Further Audit Procedures
Other required procedures
What are two reasons and the main outcome/purpose of risk assessment procedures? (RAP)
1) Identifies and evaluates relevant risk factors
2) Identifies and evaluates related controls
3) Assists in designing Test of Controls (for operating effectiveness) AND Nature, Timing, and Extent (NTE) of further substantive procedures
What are planning documentation requirements for non-audit engagements?
Documentation should always be sufficient and appropriate for the situation and accountant’s needs
But, all nonaudit engagements do not have laws requiring documentation or preparation of a detailed engagement plan. Nevertheless, Quality Control monitoring objectives often necesitate an adequate documentation trail.
Understanding the entity and its environment (including I/C) helps the auditor establish a frame of reference for what 3 relevant job duties?
Planning the audit
Exercising professional judgement about RMM (risk of material misstatement)
Responding to risk
What must the auditor document with regard to his/her understanding of the en&env? (3)
Auditor must document the PROCEDURES PERFORMED (format is flexible: matrix, flowchart, narrative), SOURCE of information, and KEY ELEMENTS of the understanding obtained (risks and controls ID’d)
What are the five aspects an auditor should understand regarding the en&env?
1) Industry, regulatory, and other external factors
2) The nature of the entity (undstd CAD)
3) Entity objectives, strategies, and related business risk affecting RMM
4) Measurement and review of financial performance
5) Internal Control Environment
When understanding the en&env, what are 5 categories under the nature of the entity?
Business operations
Financing structure
Investments
Financial reporting (F/R)
IT environment
Define Business Risk in relation to RMM?
Business Risk: Anything that will hinder a company’s ability to meet its set objectives
Business risk is broader than, but includes, RMM
When understanding the en&env at an organizational level, an auditor is concerned with what three things?
(delete?)
Business issues
Process optimization
Tech standardization
What is the purpose of Internal Controls? (I/C)
To provide reasonable assurance for achieving and entity’s objectives over
- reliability of F/R
- efficiency and effectiveness of operations
- compliance with regulation
Of the three entity objectives related to an entity’s I/C, which one is the main concern for the auditor?
The reliability of F/R
What is an auditor’s primary consideration when understanding the I/C environment?
“Whether controls properly PDCMM (prevent or detect-and-correct material misstatements) in relevant assertions on a timely basis.”
How controls impact F/S assertions, and reliability of F/R (element 1/3 for I/C)
What does the COSO Framework stand for?
The Committee of Sponsoring Organizations Integrated Framework
What three topics does the COSO Framework provide guidance for?
Enterprise Risk Management (ERM)
Internal Controls (I/C)
Fraud deterence
What are the 5 interrelated components of the COSO Framework for I/C?
1) Control Environment
2) Risk assessment process
3) Information and Communication systems
4) Control Activities
5) Monitoring
What is the acronym for the 5 components of the COSO Framework for I/C?
CRIME -
C-Control Activities
R-Risk assessment
I-Info and Comm systems
M-Monitoring
E-control Environment
Define COSO’s “Control Environment” component, and important aspects for the auditor to consider.
The Control Environment is the foundational element of good I/C; it is the tone of the organization.
The auditor should understand mgmt’s and gov’ces attitudes, concentrating on proper Implementation of controls.
Define COSO’s “Risk Assessment” component, and important aspects for the auditor to consider.
The Risk Assessment process includes identifying, analyzing, and managing business risk (threats to not achieving business objectives).
The auditor should understand mgmt’s process to consider risk and decide on actions.
Define COSO’s “Info and Comm Systems” component, and important aspects for the auditor to consider.
Identifying, capturing, and exchanging information in a form and timeliness to assist everyone’s responsibilities.
The auditor should understand the F/R Flow of Information/Transaction Cycle, and how the entity communicates roles, responsibilities, and significant matters.
What are the 3 buckets of F/R Flow of Information?
1) Initiate and Authorize
2) Record and Process
3) Reconcile and Report
Define COSO’s “Control Activities” component, and important aspects for the auditor to consider.
Policies and procedures (p&p) to ensure management directives are carried out & necessary actions to address business risks are taken.
Auditor should understand relevant controls and pay special attention to I/C addressing higher RMM.
Define COSO’s “Monitoring” component, and important aspects for the auditor to consider.
Assessing the quality of Design and Implementation of I/C on a timely basis & taking corrective action where necessary.
The auditor should understand types of monitoring activities, how mgmt initates corrective action, and report information source & quality, and mgmt basis for relying on info.
What are the three classes of I/C?
Preventative controls
Detective controls
Corrective controls
What is the goal of understanding an entity’s internal controls?
Through RAP of D&I of I/C, an auditor understands I/C sufficient to assess RMM of F/S (due to fraud or error) and design NTE of FAP
Define Design and Implementation of I/C.
Design - (a) control(s) is capable of effectively PDCMM
Implementation - the control actually exists and is used
What are the three theoretical “steps” to performing RAP to understand I/C?
1) Understand control environment’s design and implementation of internal control.
2) Use understanding to assess RMM
3) Test relevant/applicable controls for operating effectiveness
Why are the three “steps” of RAP labeled theoretical?
Because they are often integrated with substantive procedures and test of controls in practice
When performing the three RAP “steps,” what are applicable procedures for each step?
Understanding control environment: Inquiry, Observation, Inspection, Tracing
Assessing RMM: Inquiry, Observation, Inspection, AP (analytical procedures)
Testing Controls: Inquiry, Observation, Inspection, Reperformance
Note: Inquiry alone is not sufficient to understand the control environment
Note: When testing controls, the same procedures are much more in depth
Note: Obtaining an understanding does not equal testing controls for op’g eff’n
What are the timing requirements for Testing Controls for Operating Effectiveness per GAAS, both issuers (PCAOB) and nonissuers (GAAS)?
Nonissuers - “rotational testing”
If control mitigates a significant risk - must test in the CY audit
If not a significant-risk control and,
- If controls have changed - test in the CY audit
- If controls have not changed - test every three years
Issuers
Must test controls that you plan to rely on for operating effectiveness in the CY audit
List and explain the F/S assertions.
Existence/Occurence - items exists as of B/S date or transaction(tx) occured during the audit period
Completeness - population of txs are complete
Rights & Obligations - clear title to assets / actual obligation for liabilities
Valuation & Accuracy - properly valued and measured
Accuracy, Classification - properly classified and understandable to users
Cutoff - recorded in proper period
What are 3 inherent limitations to I/C?
1) Mistake or error (human or IT)
2) Collusion
3) Mgmt Override
How does an auditor determine which I/C is relevant to the audit, both to understand and evaluate?
Use professional judgement
What is a very effective procedure for understanding/risk assessing business processes? Explain the procedure.
Walkthroughs
Following a transaction from inception to reporting for significant processes.
Auditor should document transaction & data flow, and relevant controls.
Why are walkthroughs such an effective procedure?
It combines 4 other procedures: inquiry, observation, inspection and reperformance
It assists and verifies the auditor’s understanding of the transaction cycle, RMM, and I/C
What are IT general controls?
Broad controls, policies, and procedures that support the effectiveness of application controls, and that are implemented, managed and monitored by IT.
What is the effect of ineffective IT general controls?
The RMM increases
(Does not directly cause MM)
What are the general benefits (2) and risks (1) of using IT systems?
Benefits:
- effective and efficient I/C
- timely, available, and accurate info
Risks:
- completeness & reliability of I/C
When are IT systems effective?
When INTEGRITY of info and SECURITY of data maintained
What should an auditor be concerned about when evaluating a client’s IT system?
That the client has adequately responded to IT risks with proper General and Application controls
What are the proper IT segregation of duties? List the acronym, elements, and description.
COPAL
C-control group (monitoring function)
O-operators (operating function)
P-programming (programming)
A-analysts (designing function)
L-librarian (record keeping function)
What are the proper F/R segregation of duties? List the acronym and element.
CAR
C-custody
A-authorization
R-record keeping
What are the IT design and implementation 5 phases?
1) System Analysis - setting overall objectives
2) System Design - (analysts SoD)
3) Programming and testing - (programming SoD)
4) Implementation - most costly point for errors (operating & record-keeping SoD)
5) Monitoring - (monitoring SoD)
What is a proper disaster recovery plan?
Identity critical operations and create restoration plan in case of loss
Store backup files offsite
Design notification procedures
Test plan periodically
What are an auditors responsibilities for IT application controls?
Must identify and document relevant controls within significant business process
What three things should an auditor identify and document for clients that use service organizations?
Auditor is responsible for identifying and documenting the
1&2) purpose and significant of using a service organization, and
3) impact of using a SOC report in the audit
What are the main concerns of a SOC I and SOC II report, and when are they applicable in an audit?
A SOC I report deals with I/C over F/R, and are applicable when a client outsources accounting services to a service organization.
A SOC II report deals with sufficient IT controls and security/integrity, and are applicable when a company outsources IT.
What SOC report is of greatest concern to an auditor?
SOC I Type II (test of D&I and operating effectiveness of controls of a service organization relevant to the user entity’s controls on F/R).
What does a SOC I report report on? What’s the difference between Type I and II reports?
SOC I reports on a service organization’s internal controls that are relevant to user entities.
Type I report attests to the suitability of design of controls for the service organization as of a POINT in time.
Type II report attests to the suitability of design AND operating effectiveness of a service organization for a PERIOD of time.
When dealing with SOC reports, what must a user auditor do to rely on a service auditor’s SOC report?
User auditor must evaluate the competence and independence of a service auditor
When using a SOC report in an audit, what does the user auditor include/reference in their report, whether unqualified or modified?
Unqualified - make no reference to service auditor or SOC
Qualified - only refer to service auditor if it helps understanding the modification
What are the 9 elements of a SOC I Type II report?
1) Must include “Independent” in the title
2) Name addressee
3) Describe the nature of the engagement and include the date
4) State the engagement “followed AICPA standards”
5) List service organization and service auditor responsibilities
6) Describe the examination & test of controls
7) Give 3 opinions (A) on mgmt’s description, (B) on design suitability, (3) on operating effectiveness
8) Mention inherent limitations
9) Restrict the use of report distribution
What is the general approach to how an audit is conducted?
A risk-based approach - understand and evaluate areas of risk, and modify procedures appropriately to sufficiently lower audit risk to an acceptable level
What must the auditor document in regard to RMM due to fraud?
Any specific RMM due to fraud identified, and describe the auditor’s response to it
What is the auditor’s responsibilities for procedures over mgmt override vs fraud?
The auditor must always and separately test for mgmt override, regardless of whether fraud has been identified.
What are common procedures to test for mgmt override of controls?
Testing/Reviewing Journal entries and other adjustments
Review estimates for bias and reasonability
Evaluate the business purpose for significant, unusual transactions
What are the four attributes of RMM due to fraud?
1) The type of risk involved (Fraudlent F/R vs Misappropriation of assets/defalcation)
2) Significance of that risk (ability to cause MM)
3) Likelihood of the risk
4) Pervasiveness of the risk (to specific CAD or whole F/S)
What are the three elements of the fraud triangle?
Incentive or pressure
Opportunity
Rationalization or attitude
What must an auditor discuss with governance about when assessing risk of fraud?
Management’s ability to override I/C
Management’s ability to employ earnings mgmt
Lack of controls, monitoring, or corrective actions from management
Any suspicious or aggressive acitivity from management
What are the elements of the engagement’s team in-house discussion regarding fraud?
Discuss the susceptibility of the F/S to RMM due to fraud, or error
Discuss any known internal/external factors creating the fraud triangle
Emphasize the need professional skepticism
Discuss opportunities for management override
Share any unusual accounting procedures the client uses
Discuss materiality and its effect on extent of testing
What must the engagement team document after its discussion regarding fraud?
Who, how, and when the meeting was held
The subjects discussed
Any decisions/conclusions reached
When inquiring about fraud, what types of questions should the auditor ask?
If there is any known, suspected, or alleged fraud
The person’s understanding of fraud risks pertaining to the entity
Policies and procedures in place to prevent, detect-and-correct, or mitigate fraud and fraud risk
Communications between mgmt and governance about fraud risk
Communications between mgmt and the employees about ethic and good business practices
If the person knows of any significant, unusual transactions that have occurred
Who should the auditor inquiry to about fraud and fraud risk?
Mgmt, governance, and others: Internal Audit, Operating personnel, people involved in recording significant, unusual transactions, and in-house legal counsel
What is an auditor’s responsibility for fraud in a SSARS review engagement?
Preparation and Compilation - no assurance - no responsibility
Review - take action and notify mgmt if fraud becomes suspected or known
When documenting RMM, how can it be expressed?
Quantitatively - with percentages
Qualitatively - using “high,” “medium,” “low,” etc
How does an auditor identify and assess RMM?
By performing RAP to understand the en&env, I/C, and particular CAD’s in the F/S and to support RMM basis and plan the NTE of FAP
How can an auditor make an audit extremely efficient?
Perform Test of Controls and Substantive Test of Details at the same time of Risk Assessment Procedures
What are four presumed risk assessment procedures (RAP)?
Inquiry, Analytical Procedures, Observe, Inspect
Note: all four procedures not required for every aspect of RMM, but presumed used at least 1 time
When are AP (analytical procedures) required during the audit?
Required during planning
Optional as a substantive procedure
Required during final review
What is the goal of an audit program?
Gather sufficient and appropriate evidence
Display the link between audit objectives and procedures (to be) performed
Define an audit plan.
A detailed plan of programs and procedures that address specific audit objectives
What are the three categories of assertions in the F/S?
CAD
Classes of transactions
Account balances
Disclosures
Define assertions.
Explicit and implicit representations by mgmt embodied in the F/S and used by the auditor to consider different types of potential material misstatement
List the 7 assertions and relevant categories.
Existence and occurrence - CAD
Completeness - CAD
Accuracy - C D
Cutoff - C
Classification - C D
Rights & Obligations - AD
Valuation & Allocation - AD
What is the transaction cycle?
8) Produce the Financial Statements
7) Create the trial balance
6) Record in general ledger
5) Record in subsidiary ledger
4) Record in general journal
3) Source documentation created
2) Execution of an event
1) Authorization of an event
Trace vs Vouch? What direction of the transaction cycle does it travel and what assertion does it test?
Tracing - starts early in the transaction cycle and goes to later steps (travels upward)
Tracing tests completeness
Vouching - starts later in the transaction cycle and moves backwards (travels downward)
Vouching tests existence/occurrence
What are the 5 levels of qualitatively assessing risk, and what defines the risk at that level?
“Super High” RMM - risk is probable and material
High RMM - possible and material
Moderate RMM - possible and significant
Low RMM - possible and trivial
“Super Low” RMM - risk is remote and trivial
What are the two broad types of audit risks, and how does the auditor respond to them?
Risks at the F/S level (pervasive) > overall audit strategy (audit conduct)
Risks at the relevant assertion level > detailed audit plan (NTE of FAP)
What does an auditor consider when planning NTE of further procedures?
Addressed risk’s magnitude and likelihood
Nature of related I/C
Auditor’s plan to rely on I/C
What must be true of I/C for an auditor to rely on them?
I/C must be well designed, and must be operating effectively in the CY audit period
When a risk is assessed higher, what must an auditor do to address the risk?
Auditor must obtain more persuasive audit evidence (more reliable and more relevant)
What defines the “nature” of a further audit procedure?
Its PURPOSE (Test of Details vs Test of Controls), and TYPE (inquiry, observation, etc.)
What defines the “timing” of a further audit procedure?
WHEN a procedure is performed (closer to period end or more surprise of a procedure, the more persuasive the evidence)
What defines the “extent” of a further audit procedure?
QUANTITY of procedures performed (sample size)
What is the audit risk model?
AR = (IR x CR) x DR
RMM = IR x CR
AR - Audit Risk
IR - Inherent Risk
CR - Control Risk
RMM - Risk of Material Misstatement
DR - Detection Risk
What are the relationships between the component in the audit risk model?
RMM – CR > direct relationship
RMM – DR > inverse relationship
RMM – NTE of FAP > direct relationship
DR – NTE of FAP > inverse relationship
When is planning materiality set?
When establishing the overall audit strategy
Considering audit risk and planning materiality, what does an auditor then do?
Plan NTE of RAP
Identify and assess RMM
Plan NTE of FAP
Evaluate and provide an opinion
Define Inherent Risk (IR).
Susceptibility of relevant assertion to material misstatement, without regard to internal control
Define Control Risk (CR).
The risk that RMM, in the individual or in aggregate, is not PDCMM on a timely basis
Define Detection Risk (DR).
The risk that the auditor won’t detect a material misstatement.
Define Audit Risk (AR).
The risk that the auditor will issue the wrong opinion.
Define materiality for an issuer or a nonissuer.
Nonissuer materiality: Substantial likelihood of influencing the judgement of a reasonable user of the F/S.
Issuer materiality: Substantial likelihood of influencing the judgement of a reasonable shareholder.
What is a common method for setting planning materiality?
Percentage of benchmarks
What is planning materiality?
Materiality set for F/S as a whole
What is performance materiality?
Materiality set at a lower threshold than planning, and that is target at specific CADs
Purpose: Reducing risk of aggregate material misstatement
What is tolerable misstatement?
The application of performance materiality to a sample population
What are the documentation requirements for materiality?
Document planning & performance materiality, and tolerable misstatement, as well as the basis for each, and any revisions during the audit.
What is the key to considering materiality?
Consider materiality in the terms of the smallest aggregate level of misstatement that could be material
Audit for the lower threshold of materiality between interrelated accounts
In what situations do the AICPA standards apply for component auditors?
When one or more components to the group F/S are audited by or specific audit work is outsourced to a different group firm location or a different accounting firm
What must the auditor audit depending on the significance of a component to a group financial statements?
If the component is significant to the group financial statements:
-Individually: must audit financial information
-Not individually, but includes a significant RMM to the group F/S: must audit whatever CAD is material
-Not at all: AP with FAP as necessary, or pass immaterial
What are the responsibilities of the group audit team and group engagement partner?
Team: Understanding the component auditor & assisting group engagement parter
Partner: Directing-supervising-conducting group engagement, approval strategy & plan, evaluating reasonableness of audit opinion, and making decisions with the audit report
What are five procedures required for a group engagement team to perform when using a component auditor?
1) Understanding the component auditor (evaluating the ca’s professional competence, reputation, and legal/ethic compliance)
2) Be involved in the risk assessment process of significant components
3) Set all levels of materiality for both group F/S AND components
4) Adapting procedures as necessary (limiting or modifying component work & communications)
5) Assessing/reviewing the adequacy and appropriateness of audit evidence
When is relying on a component auditor without reference in the final report appropriate? (3)
Component auditor is associated or retained by group audit team
Group partner is satisfied with component auditor’s work
Component auditor’s work is immaterial to group F/S
What are the 3 stated preconditions to making reference to a component auditor in the final audit opinion? What happens if they are not originally met?
Component F/S used the same framework as the group F/S
- if not, the group team must disclose responsibility for adjustments
Component auditor performed in compliance with the same service criteria as the group auditor
- if not, group team must disclose original standards and any adjusting procedures
- explicitly precluded from making reference if GAAS not met
Component auditor must not have restricted distribution
When making reference to a component auditor in the final audit opinion, what must be included in the reference?
Reference must indicate dollar or percentage amount audited by “another” auditor
- permission to use component auditor’s name and report is optional
When can group team not rely on component auditor’s work?
When the component auditor lacks independence
When the group team has concerns about the component auditor’s work
If so, group must qualify or disclaim opinion
How is a specialist defined, and what are the two types of specialists?
Someone with a particular knowledge in a field outside of accounting and auditing
There are management’s specialist and auditor’s specialists
At an overview level, what are an auditor’s responsibilities regarding a specialist?
Auditor should UNDERSTAND subject matter and specialist enough to COMMUNICATE objectives of specialist’s work, and EVALUATE sufficiency and results of procedures performed.
What must an auditor evaluate in regard to using a specialist?
Must evaluate COMPETENCE, CAPABILITIES, & OBJECTIVITY of specialist, regardless of what type.
What must an auditor agree upon and document in regard to using a specialist?
Specialist roles, responsibilities, objectives, scope & nature of work, and form and content of communications/reports
What must an auditor do to rely on the specialist report?
Nothing. Report is presumed reliable, unless other information indicates in it unreasonable, in which case further test for reasonability should be performed.
In regard to the audit report, when can an auditor make reference to the work of a specialist?
Unmodified opinion - cannot refer
Qualified opinion - only reference if it helps users understand the qualification, but also restate auditor’s ultimate opinion for F/S
How does IA (internal audit) fit into the I/C environment?
IA assists in the monitoring function of I/C
How can an external auditor use IA’s work?
To reduce, change, or directly/indirectly assist in NTE of audit procedures, RAP or FAP
In regard to the audit report, when can the independent auditor make reference to the work of internal audit?
Never
What must an auditor evaluate when planning to use internal audit?
Must assess IA’s COMPETENCE & OBJECTIVITY
Communication and coordination with IA
What are relevant inquiries about IA when planning an audit?
IA’s reporting structure
IA’s application of professional standards and QC
IA’s audit plan and scope restrictions
Access to IA records
How does an external auditor evaluate IA’s competence?
Look at IA’s education level, professional experience, certifications, CPE, QC systems, etc.
How does an external auditor evaluate IA’s objectivity?
Look at IA’s organizational status, reporting structure, and interaction/access with BoD
- the higher the exec to report to, the better
What two aspects create audit supervision?
Active directing lower-level assistants in accomplishing audit objectives (other through audit programs)
Subsequent review and determination is objectives achieved
What are typical manager or partner level review of audit work?
Review and evaluate:
Overall Strategy, RMM, and detailed audit plan
Sufficiency and appropriateness of audit evidence
Detailed review of F/S, disclosures, and schedules
Significant/unusual matters and resolutions
What is the purpose of second-partner engagement QC reviews?
Ensure the fair presentation of F/S for high-risk engagements
What is the auditor’s responsibilities regarding matters of legal compliance?
Auditor needs to obtain sufficient and appropriate evidence to provide REASONABLE ASSURANCE for COMPLIANCE with matters that MATERIALLY and DIRECTLY affect the F/S
What is mgmt’s responsibilities regarding matters of legal compliance? (3)
Conduct operations in legal compliance
Report amount and disclosures in accordance
What are three reasons for an inherent limitations for auditor’s ability to provide assurance for legal compliance?
Many laws don’t directly affect the F/S
Collusion & lying to the auditor
Courts decide what constitutes noncompliance
What must an auditor do if he/she becomes aware of noncompliance?
Understand the nature and circumstances of the noncompliance
Obtain information to evaluate F/S effect
Communication with mgmt
What must an auditor document in regard to legal noncompliance?
Auditor must document
Description of the noncompliance
Results of communication w/ mgmt
What is an auditor’s responsibility regarding significant accounting estimates? (5)
Auditor needs to IDENTIFY significant estimates, UNDERSTAND mgmt’s process for developing such, and identify and ASSESS related RMM
Auditor needs to OBTAIN sufficient and appropriate evidence to ENSURE the estimate is reasonable, adequately and properly accounted for and disclosed
What are three methods of responding the assessed RMM for significant accounting estimates?
a. Test company’s process to develop estimate (methods, data, assumptions, etc.)
b. Develop independent expectation and compare
c. Evaluate related audit evidence and compare
According to the FASB ASB Glossary, what entities constitute related parties?
Affiliates, equity-method investments, mgmt-managed EBP trust, principal owners & immediate families, mgmt & immediate families
What are an auditor’s responsibilities regarding related parties?
To identity related parties and ensure relationships & transactions are properly & understandably presented and disclosed (substance, not form)
When disclosing related parties and transactions, what elements should the auditor ensure are disclosed?
Relationship nature
Proper description of transaction
Dollar volume of transactions
Amounts due to/from related parties
What is a major red flag of related party transactions?
The transaction lacks substance
What kinds of audits have significant “super high” audit risk?
Every audit will have at least some significant risk area.
What are an auditor’s responsibilities regarding significant audit risk?
Document identified risk
Document risky circumstances and auditor response
Obtain more persuasive (relevant and reliable), sufficient and appropriate audit evidence in a cost effective way
What is online inquiry?
An interactive procedure that allows authorized personnel (incl. auditor) to select and view individual records or transactions
What is parallel simulation?
Process of inputing real data through audit programs so simulated output and regular output can be compared.
What is mapping?
Monitoring the execution of a program.
Auditor performs substantive procedures at an interim date. What must happen to ensure audit conclusion remains consistent until period end?
Test of Controls and/or further substantive procedures during the remaining period to provide reasonable basis for extending audit conclusions from interim to period-end
What characterizes the recession phase of the business cycle?
Increase in unemployment
Decrease in consumer purchase
Increase in inventories
Decreased output and fixed asset investments, causing lower profits
GDP shrinks two consecutive quarters
Housing prices decline
Actual output is less than potential output
What does stagflation consist of?
Slow economic growth
Relatively high unemployment plus inflation
(Stagnant economy + inflation)
What characterizes a depression, and how is it different from a recession?
Sustained, long term downturn in economic activity
More severe and longer than recession
What are three types of application controls?
Input, output, and processing controls.
What are examples of general controls?
Program change controls
Controls that restrict access
Controls over acquisition and implementation of new software
Etc
Who takes the burden on the tax? Suppliers or consumers?
Depends on the elasticities of each curve (supply or demand). The more inelastic the curve is, the more tax burden it will assume.
What 3 elements of accounting estimates increase the RMM?
Differing interpretations of accounting principles
Required complex or subjective judgement
Assumptions about the future
What are various specific risks related or IT within a entity’s I/C? (3)
Improper processing, unauthorized access & changes, data loss
What are some circumstances an auditor is allowed to disclose client information, confidential or not?
Allowed to disclose name of clients to potential clients (unless CPA specializes in confidential practice like bankruptcy)
Allowed to share confidential information w/o consent to
- state CPA society peer reviews,
- official investigative professional bodies (AICPA ethics board,etc)
- under court subpoena order
- third parties that DO have confidentiality agreements (insurance carriers, audit software stored on cloud, etc)
What preliminary audit procedures does a SSARS review engagement not undertake?
Review engagement provides limited insurance through INQUIRY and ANALYTICAL PROCEDURES only, as such, the accountant does not obtain an understanding of I/C or assess RMM due to Fraud
What is a hash total?
Hash total is an input control
It is a “nonsense” summation of numbers that is used to compare (not compute) inputs to process/outputs and ensure they are equal
What are the four phases of the business cycle?
Expansion
Peak
Recession (contraction)
Trough
What is the “test data” procedure?
Similar to the integrated test facility procedure
An auditor inputs auditor-created data through the client software to test client program
What is the “integrated test facility” procedure?
Similar to the test data procedure
Tests client’s data processing reliability
Auditor uses a set of transactions with a dummy entity and comparing actual results to predetermined expectation
Transactions are run during the regular processing of data and done without computer operator’s knowledge
A concurrent audit technique where a special set of dummy master files is established and test transactions are entered to test the programs using the dummy files during regular practice runs
What is price elasticity formula?
% change of the demand for a product / % change of the product price
If absolute value of answer is greater than 1, the price is elastic
If absolute value of answer is less than 1, the price is inelastic
What is the role of information systems in business processes?
To assist in activities and behaviors triggered by specific events, but are not part of the daily work environment (pienso que no comprendo)
Define business processes.
A defined set of activities or behaviors triggered by specific events and performed by humans or machines to achieve one or more entity goals
What are the keys to a consulting engagement?
A CPA must evaluate their objectivity and integrity
A CPA must inform executives and mgmt of the results, benefits, and limitations of the engagement
What is AU-C 230’s definitions and exceptions to regulator entities?
Regulators: state insurance and utility regulators, healthcare authorities, federal agencies
Nonregulators: IRS, peer/quality review firms, subpoenas
What are an auditor’s required communications with mgmt for factual and judgemental misstatements?
Request mgmt corrects known misstatements, including prior period
Further discuss the impact of judgemental material misstatement, individually or in aggregate
What are primary considerations when evaluating the reasonability of accounting estimates?
Framework is applied appropriately
Methodology is used consistently - beware changes
Impact of design and implementation of I/C
Significant assumptions, and their consistency between periods
How does a small organization compensate for the lack of segregation of duties?
Increase management oversight for incompatible activities
What are determinants for price elasticity?
(large) number of substitutes
luxury items in comparison to necessities
price changes
What are the four elements of a business process?
Inputs
Actors (human or automated)
Activities
Outputs
Define structural unemployment.
Unemployment due to workers not having demanded skills, or inability of employees to easily move to a location where jobs are available
What affects the extent of an auditor’s understanding and documentation requirements for obtaining an understanding of internal control?
Complexity & size of entity and environment
Degree/extent IT is used in accounting function
What is Induced Investment?
An investment made in the economy in response to a change in level of national income
What is the accelerator principle in economics?
A small change in consumer spending can cause a big percent change in investments
What is Business risk?
Significant conditions, events, circumstances, action or inaction that could adversely effect the entity’s ability to achieve objectives and entity strategy
What is a source code comparison program procedure?
Comparing the coding of a program from its last run against the original code to test for unauthorized changes in the code
What is the difference between source code and object code?
Source code is the instructions a programmer writes
- can be easily understood by humans using high-level languages (JavaScript, C++, etc.)
Object code is the source code that has been translated for machine use
- listed in binary 1’s and 0’s
- aka machine code, binary code
How is source code translated into object code?
Through the use of a compiler
What is a compiler?
A language translator that converts source code into machine language
Each high-level language (JavaScript, C++,etc.) has a different compiler to convert to object code/low-level language
What is a check digit?
A specific input control
Check digit is an extra digit inserted by an algorithm that calculates a check digit based on the other numbers/code that has been entered into a field
Acts as a validation to the numbers in a field - if changed, the check digit will not match
What are the rules regarding the audit committee according to SOX 2002?
1) Audit committee must be entirely independent of mgmt (rest of the board not required)
2) Each audit committee member must be on the BoD
3) Committee should be chaired by someone with significant F/R qualification or experience
4) Cannot receive compensation except by being Board Member (cannot provide consulting, advisory, or other services to issuer)
What is the effect of ineffective general controls regarding misstatements?
Ineffective general controls NEVER CAUSE material misstatements
Ineffective general controls COULD ALLOW material misstatements
When management seeks to increase supervision, what two elements of I/C must the properly utilize?
Communication
Monitoring
C&M’g mgmt’s expectation of company activities
For the information and communication system element of I/C of COSO Framework, what does it support, and what does it consist of?
Supports identifying, capturing, and exchanging information
Consists of procedures and records relevant to F/R objectives (including the actg system)
What is monetary policy?
Actions taken by a central bank to change the money supply in the general economy.
The purpose is to assist economy to achieve full unemployment, stable prices, and economic growth
What are 4 competing theories explaining the economic business cycle? What are their basic premises?
Insufficient aggregate expenditure model - business cycle driven by inadequate spending between consumers, businesses, government, and net difference between exports and imports
Real business cycle model - the market adjusts to equilibrium from real supply shocks
Political business cycle model - interaction between economic policy and political decisions to influence voters propels business cycle
Accelerator model - driven by volatility in investment spending
Further explain the real business cycle model.
Premise that fluctuations between output and employment result from the rapid adjustment of market to real supply shocks.
Monetary policy assumed to have no real effect on the business cycle. Technological change can increase normal output while also stimulating market short-term by encouraging workers to work OT for higher wages due to higher productivity.
Without increased aggregate demand, advances can actually increase unemployment since operations are more efficient.
Further explain the political business cycle model.
Premise that the business cycle results from the interactions between economic policy decisions and political decisions designed to influence voter behavior.
Economic policy choices are trade-offs between inflation and unemployment.
Politicians run tight policies when they initially run in office, and blame economic problems on the last administration, while towards the end of term adopts more expansionary fiscal policy.
Disconnect between monetary policy in Federal Reserve and fiscal policy in Congress.
Further explain the insufficient aggregate expenditure model.
Premise that business cycle caused by inadequate spending.
Formula: GDP = C+I+G+(X-M) where
C = personal consumption, affected by consumer disposable income/wealth and interest rates (for larger appliances)
I = business investment, depends on interest rates and project anticipation
G = government expenditures, determined by fiscal policy
X = exports, driven by consumer income, wealth, and preferences in foreign nations
M = imports, driven by personal consumption and taste for foreign goods
Further explain the accelerator model.
Premise that the business cycle is driven by the volatility of investment spending.
Investments related to rate of change in GDP. As aggregate demand increases, business investment and production increases, which boosts the economy and boosts demand, which builds.
What are potential I/C benefits when using IT? (5)
Processing consistency
Enhanced timeliness, availability, and accuracy
Facilitates analysis and monitoring
Reduces circumvention risk
Enhances Segregation of Duties
What are the three price effects that explain the inverse relationship between price and demand/GDP?
Real balance effect - reduces purchasing power effectiveness of accumulated public savings balances > shrinks spending
Interest-rate effect - higher interest rates reduce investments and demand for products (costs more to buy)
Foreign purchases effect - when domestic goods cost more than foreign, consumers buy more foreign goods
What is Comparative Advantage in economics?
The one who has the lowest opportunity cost in producing a good (in comparison to producing second good) should produce more of the good. The other should produce the second good.
GAGAS attestation engagement-related independence requirements apply to whom?
Individual auditors
External audit organizations
Government audits structurally located within entities
What are 7 main methods/procedure classes for obtaining audit evidence?
Inquiry
Confirmation
Observation
Inspection
Reperformance
Recalculation
Analytical Review
According to Title VIII of SOX 2002, what are the possible penalties for altering audit documentation to impede an investigation?
Civil fines and/or imprisonment for up to 20 years