AUD Pt II - Assessing Risk and Developing Planned Response Flashcards
What is the high-level audit planning process? (6 steps)
1) Understand the entity and its environment, including internal controls
2) Perform risk assessment procedures
3) Set materiality
4) Assess Risk of Material Misstatement, whether due to fraud or error, at the F/S level and relevant assertion levels
5) Develop an overall audit strategy and response to respond to risks at the F/S level
6) Build a detailed audit plan with further audit procedures to respond to risks at the relevant assertion level
What 4 things does an overall audit strategy contain?
1) Description of engagement characteristics
2) Reporting Objectives of Engagement
3) Important factors for team’s focus
4) Overall audit response to RMM
How does an audit strategy help an auditor?
Helps auditor to determine NTE, allocate, and supervise required resources and further procedures
When does audit planning begin and end?
Begins at acceptance and continues through the engagement
What are continuing documentation requirements for audit planning?
Document any revisions and changes to strategy and plan
What three different types of audit procedures are included in the detailed audit plan?
Risk Assessment Procedures
Further Audit Procedures
Other required procedures
What are two reasons and the main outcome/purpose of risk assessment procedures? (RAP)
1) Identifies and evaluates relevant risk factors
2) Identifies and evaluates related controls
3) Assists in designing Test of Controls (for operating effectiveness) AND Nature, Timing, and Extent (NTE) of further substantive procedures
What are planning documentation requirements for non-audit engagements?
Documentation should always be sufficient and appropriate for the situation and accountant’s needs
But, all nonaudit engagements do not have laws requiring documentation or preparation of a detailed engagement plan. Nevertheless, Quality Control monitoring objectives often necesitate an adequate documentation trail.
Understanding the entity and its environment (including I/C) helps the auditor establish a frame of reference for what 3 relevant job duties?
Planning the audit
Exercising professional judgement about RMM (risk of material misstatement)
Responding to risk
What must the auditor document with regard to his/her understanding of the en&env? (3)
Auditor must document the PROCEDURES PERFORMED (format is flexible: matrix, flowchart, narrative), SOURCE of information, and KEY ELEMENTS of the understanding obtained (risks and controls ID’d)
What are the five aspects an auditor should understand regarding the en&env?
1) Industry, regulatory, and other external factors
2) The nature of the entity (undstd CAD)
3) Entity objectives, strategies, and related business risk affecting RMM
4) Measurement and review of financial performance
5) Internal Control Environment
When understanding the en&env, what are 5 categories under the nature of the entity?
Business operations
Financing structure
Investments
Financial reporting (F/R)
IT environment
Define Business Risk in relation to RMM?
Business Risk: Anything that will hinder a company’s ability to meet its set objectives
Business risk is broader than, but includes, RMM
When understanding the en&env at an organizational level, an auditor is concerned with what three things?
(delete?)
Business issues
Process optimization
Tech standardization
What is the purpose of Internal Controls? (I/C)
To provide reasonable assurance for achieving and entity’s objectives over
- reliability of F/R
- efficiency and effectiveness of operations
- compliance with regulation
Of the three entity objectives related to an entity’s I/C, which one is the main concern for the auditor?
The reliability of F/R
What is an auditor’s primary consideration when understanding the I/C environment?
“Whether controls properly PDCMM (prevent or detect-and-correct material misstatements) in relevant assertions on a timely basis.”
How controls impact F/S assertions, and reliability of F/R (element 1/3 for I/C)
What does the COSO Framework stand for?
The Committee of Sponsoring Organizations Integrated Framework
What three topics does the COSO Framework provide guidance for?
Enterprise Risk Management (ERM)
Internal Controls (I/C)
Fraud deterence
What are the 5 interrelated components of the COSO Framework for I/C?
1) Control Environment
2) Risk assessment process
3) Information and Communication systems
4) Control Activities
5) Monitoring
What is the acronym for the 5 components of the COSO Framework for I/C?
CRIME -
C-Control Activities
R-Risk assessment
I-Info and Comm systems
M-Monitoring
E-control Environment
Define COSO’s “Control Environment” component, and important aspects for the auditor to consider.
The Control Environment is the foundational element of good I/C; it is the tone of the organization.
The auditor should understand mgmt’s and gov’ces attitudes, concentrating on proper Implementation of controls.
Define COSO’s “Risk Assessment” component, and important aspects for the auditor to consider.
The Risk Assessment process includes identifying, analyzing, and managing business risk (threats to not achieving business objectives).
The auditor should understand mgmt’s process to consider risk and decide on actions.
Define COSO’s “Info and Comm Systems” component, and important aspects for the auditor to consider.
Identifying, capturing, and exchanging information in a form and timeliness to assist everyone’s responsibilities.
The auditor should understand the F/R Flow of Information/Transaction Cycle, and how the entity communicates roles, responsibilities, and significant matters.
What are the 3 buckets of F/R Flow of Information?
1) Initiate and Authorize
2) Record and Process
3) Reconcile and Report
Define COSO’s “Control Activities” component, and important aspects for the auditor to consider.
Policies and procedures (p&p) to ensure management directives are carried out & necessary actions to address business risks are taken.
Auditor should understand relevant controls and pay special attention to I/C addressing higher RMM.
Define COSO’s “Monitoring” component, and important aspects for the auditor to consider.
Assessing the quality of Design and Implementation of I/C on a timely basis & taking corrective action where necessary.
The auditor should understand types of monitoring activities, how mgmt initates corrective action, and report information source & quality, and mgmt basis for relying on info.
What are the three classes of I/C?
Preventative controls
Detective controls
Corrective controls
What is the goal of understanding an entity’s internal controls?
Through RAP of D&I of I/C, an auditor understands I/C sufficient to assess RMM of F/S (due to fraud or error) and design NTE of FAP
Define Design and Implementation of I/C.
Design - (a) control(s) is capable of effectively PDCMM
Implementation - the control actually exists and is used
What are the three theoretical “steps” to performing RAP to understand I/C?
1) Understand control environment’s design and implementation of internal control.
2) Use understanding to assess RMM
3) Test relevant/applicable controls for operating effectiveness
Why are the three “steps” of RAP labeled theoretical?
Because they are often integrated with substantive procedures and test of controls in practice
When performing the three RAP “steps,” what are applicable procedures for each step?
Understanding control environment: Inquiry, Observation, Inspection, Tracing
Assessing RMM: Inquiry, Observation, Inspection, AP (analytical procedures)
Testing Controls: Inquiry, Observation, Inspection, Reperformance
Note: Inquiry alone is not sufficient to understand the control environment
Note: When testing controls, the same procedures are much more in depth
Note: Obtaining an understanding does not equal testing controls for op’g eff’n
What are the timing requirements for Testing Controls for Operating Effectiveness per GAAS, both issuers (PCAOB) and nonissuers (GAAS)?
Nonissuers - “rotational testing”
If control mitigates a significant risk - must test in the CY audit
If not a significant-risk control and,
- If controls have changed - test in the CY audit
- If controls have not changed - test every three years
Issuers
Must test controls that you plan to rely on for operating effectiveness in the CY audit
List and explain the F/S assertions.
Existence/Occurence - items exists as of B/S date or transaction(tx) occured during the audit period
Completeness - population of txs are complete
Rights & Obligations - clear title to assets / actual obligation for liabilities
Valuation & Accuracy - properly valued and measured
Accuracy, Classification - properly classified and understandable to users
Cutoff - recorded in proper period
What are 3 inherent limitations to I/C?
1) Mistake or error (human or IT)
2) Collusion
3) Mgmt Override
How does an auditor determine which I/C is relevant to the audit, both to understand and evaluate?
Use professional judgement
What is a very effective procedure for understanding/risk assessing business processes? Explain the procedure.
Walkthroughs
Following a transaction from inception to reporting for significant processes.
Auditor should document transaction & data flow, and relevant controls.
Why are walkthroughs such an effective procedure?
It combines 4 other procedures: inquiry, observation, inspection and reperformance
It assists and verifies the auditor’s understanding of the transaction cycle, RMM, and I/C
What are IT general controls?
Broad controls, policies, and procedures that support the effectiveness of application controls, and that are implemented, managed and monitored by IT.
What is the effect of ineffective IT general controls?
The RMM increases
(Does not directly cause MM)
What are the general benefits (2) and risks (1) of using IT systems?
Benefits:
- effective and efficient I/C
- timely, available, and accurate info
Risks:
- completeness & reliability of I/C
When are IT systems effective?
When INTEGRITY of info and SECURITY of data maintained
What should an auditor be concerned about when evaluating a client’s IT system?
That the client has adequately responded to IT risks with proper General and Application controls
What are the proper IT segregation of duties? List the acronym, elements, and description.
COPAL
C-control group (monitoring function)
O-operators (operating function)
P-programming (programming)
A-analysts (designing function)
L-librarian (record keeping function)
What are the proper F/R segregation of duties? List the acronym and element.
CAR
C-custody
A-authorization
R-record keeping
What are the IT design and implementation 5 phases?
1) System Analysis - setting overall objectives
2) System Design - (analysts SoD)
3) Programming and testing - (programming SoD)
4) Implementation - most costly point for errors (operating & record-keeping SoD)
5) Monitoring - (monitoring SoD)
What is a proper disaster recovery plan?
Identity critical operations and create restoration plan in case of loss
Store backup files offsite
Design notification procedures
Test plan periodically
What are an auditors responsibilities for IT application controls?
Must identify and document relevant controls within significant business process
What three things should an auditor identify and document for clients that use service organizations?
Auditor is responsible for identifying and documenting the
1&2) purpose and significant of using a service organization, and
3) impact of using a SOC report in the audit
What are the main concerns of a SOC I and SOC II report, and when are they applicable in an audit?
A SOC I report deals with I/C over F/R, and are applicable when a client outsources accounting services to a service organization.
A SOC II report deals with sufficient IT controls and security/integrity, and are applicable when a company outsources IT.
What SOC report is of greatest concern to an auditor?
SOC I Type II (test of D&I and operating effectiveness of controls of a service organization relevant to the user entity’s controls on F/R).
What does a SOC I report report on? What’s the difference between Type I and II reports?
SOC I reports on a service organization’s internal controls that are relevant to user entities.
Type I report attests to the suitability of design of controls for the service organization as of a POINT in time.
Type II report attests to the suitability of design AND operating effectiveness of a service organization for a PERIOD of time.
When dealing with SOC reports, what must a user auditor do to rely on a service auditor’s SOC report?
User auditor must evaluate the competence and independence of a service auditor
When using a SOC report in an audit, what does the user auditor include/reference in their report, whether unqualified or modified?
Unqualified - make no reference to service auditor or SOC
Qualified - only refer to service auditor if it helps understanding the modification
What are the 9 elements of a SOC I Type II report?
1) Must include “Independent” in the title
2) Name addressee
3) Describe the nature of the engagement and include the date
4) State the engagement “followed AICPA standards”
5) List service organization and service auditor responsibilities
6) Describe the examination & test of controls
7) Give 3 opinions (A) on mgmt’s description, (B) on design suitability, (3) on operating effectiveness
8) Mention inherent limitations
9) Restrict the use of report distribution
What is the general approach to how an audit is conducted?
A risk-based approach - understand and evaluate areas of risk, and modify procedures appropriately to sufficiently lower audit risk to an acceptable level
What must the auditor document in regard to RMM due to fraud?
Any specific RMM due to fraud identified, and describe the auditor’s response to it
What is the auditor’s responsibilities for procedures over mgmt override vs fraud?
The auditor must always and separately test for mgmt override, regardless of whether fraud has been identified.
What are common procedures to test for mgmt override of controls?
Testing/Reviewing Journal entries and other adjustments
Review estimates for bias and reasonability
Evaluate the business purpose for significant, unusual transactions
What are the four attributes of RMM due to fraud?
1) The type of risk involved (Fraudlent F/R vs Misappropriation of assets/defalcation)
2) Significance of that risk (ability to cause MM)
3) Likelihood of the risk
4) Pervasiveness of the risk (to specific CAD or whole F/S)
What are the three elements of the fraud triangle?
Incentive or pressure
Opportunity
Rationalization or attitude
What must an auditor discuss with governance about when assessing risk of fraud?
Management’s ability to override I/C
Management’s ability to employ earnings mgmt
Lack of controls, monitoring, or corrective actions from management
Any suspicious or aggressive acitivity from management
What are the elements of the engagement’s team in-house discussion regarding fraud?
Discuss the susceptibility of the F/S to RMM due to fraud, or error
Discuss any known internal/external factors creating the fraud triangle
Emphasize the need professional skepticism
Discuss opportunities for management override
Share any unusual accounting procedures the client uses
Discuss materiality and its effect on extent of testing
What must the engagement team document after its discussion regarding fraud?
Who, how, and when the meeting was held
The subjects discussed
Any decisions/conclusions reached
When inquiring about fraud, what types of questions should the auditor ask?
If there is any known, suspected, or alleged fraud
The person’s understanding of fraud risks pertaining to the entity
Policies and procedures in place to prevent, detect-and-correct, or mitigate fraud and fraud risk
Communications between mgmt and governance about fraud risk
Communications between mgmt and the employees about ethic and good business practices
If the person knows of any significant, unusual transactions that have occurred
Who should the auditor inquiry to about fraud and fraud risk?
Mgmt, governance, and others: Internal Audit, Operating personnel, people involved in recording significant, unusual transactions, and in-house legal counsel
What is an auditor’s responsibility for fraud in a SSARS review engagement?
Preparation and Compilation - no assurance - no responsibility
Review - take action and notify mgmt if fraud becomes suspected or known
When documenting RMM, how can it be expressed?
Quantitatively - with percentages
Qualitatively - using “high,” “medium,” “low,” etc
How does an auditor identify and assess RMM?
By performing RAP to understand the en&env, I/C, and particular CAD’s in the F/S and to support RMM basis and plan the NTE of FAP
How can an auditor make an audit extremely efficient?
Perform Test of Controls and Substantive Test of Details at the same time of Risk Assessment Procedures
What are four presumed risk assessment procedures (RAP)?
Inquiry, Analytical Procedures, Observe, Inspect
Note: all four procedures not required for every aspect of RMM, but presumed used at least 1 time
When are AP (analytical procedures) required during the audit?
Required during planning
Optional as a substantive procedure
Required during final review
What is the goal of an audit program?
Gather sufficient and appropriate evidence
Display the link between audit objectives and procedures (to be) performed
Define an audit plan.
A detailed plan of programs and procedures that address specific audit objectives
What are the three categories of assertions in the F/S?
CAD
Classes of transactions
Account balances
Disclosures
Define assertions.
Explicit and implicit representations by mgmt embodied in the F/S and used by the auditor to consider different types of potential material misstatement
List the 7 assertions and relevant categories.
Existence and occurrence - CAD
Completeness - CAD
Accuracy - C D
Cutoff - C
Classification - C D
Rights & Obligations - AD
Valuation & Allocation - AD
