Audit Flashcards
What engagements are covered by the AICPA Code of Professional Conduct?
Covers all professional engagements and is the minimum standard of conduct
Member should additionally follow specific standards for a specific engagement
What must an accountant have under the AICPA Code of Professional Conduct?
Integrity
Objectivity
No Conflicts of Interest
No known misrepresentations of facts
No outsourcing of judgment
What are threats and safeguards to independence?
Safeguards > Threats - Independence
Threats > Safeguards - No Independence
What are the threats to independence?
Self-Review (Auditing own work)
Advocate of the Client
Adverse Interest (Lawsuit against Client)
Too familiar with Client - could impair the appearance of Independence to public
Undue influence on Client - On Board of Directors- exception being an Honorary board position
What are the Safeguards to independence?
Offset the threats
Safeguards are created by Legislation (SOX)- Client (Audit Committee)- Accounting Firm (Policies)
What are the characteristics of a Covered Member?
On the engagement team- have Significant influence on Audit- such as:
Reviewing Partner
Managing Partner in CPA Firm
Firm Personnel who does more than 10 hours of non-attest work (Income Taxes)
Partner sharing office with another Partner who oversees an engagement
Financial Interest in Client by Covered Member (Auditor on Engagement)
What are the requirements for a Covered Member?
No direct financial interest
No Material indirect financial interest
Firm personnel who are not Covered Members cannot own more than 5% of stock
Covered Member’s immediate family cannot own more than 5% of stock or be employed in Key positions. If Covered member is aware of this- it will impair independence.
Cannot make management decisions.
All requirements apply during the period of the professional engagement- and as long as they are a client.
What happens when a Covered Member disagrees with a Supervisor?
If Supervisor’s position is still GAAP/GAAS- defer to Supervisor
If Supervisor’s position is not GAAP/GAAS- report to higher levels of management
If management ignores you- consider leaving the firm
When is independence required?
Audit
Review
Attestation Engagement
What are the requirements for Non-attest engagements?
Agreement must be in writing.
Independence not required - Must state if you are not independent
Applicable engagements: Consulting- Compilation
Which standards apply to consulting engagements?
Consulting engagements are covered by Statements on Standards for Consulting Services (SSCS)
Requirements: Competence- Due Care- Planning- Supervision- Obtain Sufficient Data- Must Serve Client Interest- Must have written or oral agreement- must communicate with client.
List some common consulting engagements.
Advisory Services
Transaction Services
Management Consulting
Implementation Services
What is the rule concerning contingent fees for a covered member?
Not allowed if Member also performs services where independence is required
Commissions or referral fees for Covered Members are not allowed
Example - Audit firm gets a commission for recommending to Client that they implement a new A/P System…NOT Allowed
If a firm performing non-attest work doesn’t also perform Covered Member services (aka - Independence not
required)- then Firm can get a commission on referring products/services- but they must disclose to the Client
Tax Preparation - Payment according to refund amount is disallowed
When are contingent fees allowed?
When fees are structured relative to judicial proceedings.
Example: IRS audit- or filing an amended tax return subject to tax case with a different taxpayer.
How should recommendations and suggestions by a covered member to a client be handled?
Client must carry them out - covered member cannot perform management functions.
Client must assign someone of competence to oversee the non-attest engagement and CPA must be satisfied that this has occurred.
What are the requirements for Personal Financial Planning Engagements?
Must have definite objectives
Must have specific procedures planned
Must have a basis for recommendations
Must have recommendations communicated
Must have action steps to implement
When is a GAAP departure appropriate?
Departure from GAAP is appropriate if GAAP would cause Financial Statements to be misleading- then it must be explained/disclosed.
When may a covered member disclose confidential information?
Member may disclose confidential info when client isn’t following GAAP
OR
If they receive a subpoena - CPAs are not Attorneys- so there is no CPA-Client privilege
What is the effect of not returning all client-provided documents upon request?
This is an act discreditable.
You MUST return all documents the client gives you even if they don’t pay their bill.
If you create a document- however- like a work paper- you are not required to give the client a copy of papers you created if they haven’t paid their bill
They are the firm’s work papers- but are still confidential!
What are the rules with respect to CPA firm names?
CPA firm names must not be misleading.
If partner dies- remaining partner has two years to change name if partnership dissolved. If partner dies and more than one partner still remains (i.e. 1 dies and you still have 2 or more partners…you don’t need to change the name)
All Partners/Shareholders must be members of the AICPA in order to hold themselves out as members of the AICPA. Non-CPAs can be owners- but 2/3 of Ownership must be CPAs. Non-CPA owner must not be involved with the accounting- and is still bound by AICPA code of conduct- must maintain CPE requirements and have Bachelor’s degree.
What is the consequence of disclosing CPA exam material post-1996?
It is an Act Discreditable.
What are the consequences for a CPA who commits an Act Discreditable?
Licenses are granted at the State level
If State revokes certificate- AICPA Ban
Felony Conviction- AICPA Ban
Prepares Fraudulent Tax Return- AICPA Ban
Intentionally failing to file return- AICPA Ban
SEC can get involved with discipline
What are the functions of the PCAOB?
Monitors CPA Firms who audit SEC clients - All SEC Audit firms must register
Issues standards for firms to follow - usually stricter than AICPA standards
When is independence impaired under PCAOB standards?
If Client pays a contingent fee (i.e. based on outcome)
With Marketing or Planning engagements
Aggressive Tax Strategies
Firm does tax work for Client employee involved with audit oversight or their
family
Who must approve non-audit work performed by a firm for a client?
Client Audit Committee must approve non-audit work performed by Firm
Firm must disclose any potential independence issues to Audit Committee
Which organization is in charge of determining if federal funds are being misappropriated?
GAO - Government Accountability Office
What rules must auditors follow for governmental audits?
Auditors must follow both GAAS and GAS aka the Yellow Book materiality threshold is usually lower
More detail is required on working papers
More stringent CPE rules and requirements - 24 hours of continuing education must be related to governmental auditing every 2 years
Compliance with Regulations is a requirement of the Audit Report
Who created the International Auditing Standards?
The International Auditing and Assurance Standards Board (IAASB)
Member of the International Federation of Accountants (IFAC)
For whom were IAASB International Auditing Standards created?
IAASB standards are for countries that don’t have their own standards and help set the tone for the rest of the members who do have their own standards (AICPA)
IAASB doesn’t override member standards
What financial approach is used under IAASB audit standards?
IAASB standards are based on a risk assessment approach
How do IAASB audit standards compare to US audit standards?
IAASB - No Internal Control audits
IAASB - No Referencing another Audit Firm
IAASB - Less detailed documentation
IAASB - Required: obtain written fraud assessment
IAASB - Required: location of auditor’s home office
What are International Ethical Standards?
Standards set by International Ethics Standards Board for Accountants (IESBA)
Code of Ethics for Professional Accountants - Similar to AICPA Code of Professional Conduct
Which groups are covered under the three sections of the International Ethical Standards?
A) Covers all accountants
B) Covers Public accountants
C) Covers accountants in a business environment
What are the requirements for all accountants under the International Ethical Standards?
Accountants should have Integrity
Accountants should be Objective
Accountants should have Competence
Accountants should exercise Due Care
Accountants should maintain Confidentiality
Accountants should act Professionally
What questions should public accountants pose to themselves under the International Ethical Standards?
What are the threats/safeguards?
Does this new client threaten our ethics?
What are the conflicts of interest?
What are the threats/safeguards for offering a second opinion?
What are the threats/safeguards for receiving commissions or contingent fees?
Is our marketing truthful?
What are the threats/safeguards for receiving client gifts?
What are the threats/safeguards to objectivity?
If Internal Control is poor and a company’s accounting practices are sloppy - which risk is higher?
Control risk increases with poor Internal Controls and sloppy accounting practices.
If Internal Control is poor - what is the effect on the audit?
Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.
What does Internal Control provide reasonable assurance for?
Internal control provides reasonable assurance that
Material misstatements will be prevented
Reliability/integrity of financial statements will be preserved
Assets are protected against misuse
What is required in an examination of Internal Control under Sarbanes-Oxley?
CEO/CFO must disclose Internal Control deficiencies
Management must provide assessment of Internal Control
Management must certify Financial Statements
What is the relationship between Internal Control and Substantive Testing?
Inverse Relationship
Stronger Internal Controls - Less Testing Needed
Weaker Internal Controls - More Testing Needed
What are the 3 objectives of Internal Control?
Reliability of Financial Reporting
Operational Efficiency/Effectiveness
Compliance with Law and Regulations
What are the 5 components of Internal Control?
Control Environment
Risk Assessment
Information and Communication
Monitoring
Control Activities
What is the purpose for a Control Environment assessment?
Sets tone for the entire company
What are the components of the Control Environment?
Integrity/Ethics of Management
Competence of Management
Organizational Structure
Human Resource Policies
Assignment of Authority/Responsibility
Management’s Style (riskier with a dominant/aggressive individual)
Board/Audit Committee involvement
What does an auditor’s assessment of Detection Risk determine?
Detection Risk determines nature- timing- and extent of audit procedures.
What determines the acceptable level of Detection Risk?
Risk of material misstatement determines acceptable level of Detection Risk
What items could increase the risk of material misstatement?
Rapid growth in the company.
The methods management uses to identify risk- estimate its significance and assess the likelihood of occurrence
Major changes to operations- personnel- systems- IT- products- corporate organization- and foreign operations.
What happens when Control Risk is assessed to be at the maximum level?
No Internal Control testing is performed.
All audit procedures are increased in intensity to compensate for increased risk.
What happens when Control Risk is below the maximum level?
Auditor tests Internal Controls.
Auditor evaluates Control Risk based on tests
Auditor adjusts substantive tests accordingly
Weaker Internal Control - More substantive tests
Stronger Internal Control - Less substantive tests
Describe some common examples of Control Activities.
Performance Reviews
Information Processing
Physical Controls
Segregation of Duties
What should an auditor understand with respect to Information and Communication on an audit?
Understand Client’s
Major transaction classes
Transaction initiation
Support records/documents
Transaction processing
Financial Statement internal reporting process
Financial Statement external reporting process
How must an auditor document understanding of Internal Control?
Through written documentation such as Internal Control memos- flowcharts- and questionnaires
What questions should be asked to determine the risk of material misstatement?
Were all transactions recorded?
Were they timely?
Measured appropriately?
Recorded in correct period?
Presented and disclosed properly?
Did Management communicate their responsibilities?
What is the purpose of testing Internal Controls?
Auditor needs reasonable assurance that controls are functioning as designed and effective
Internal Control Testing should be strong as (IRON) so that nothing gets past them
Inquiry - Interview company personnel
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documents
If results are as expected- substantive procedures do not need to be adjusted
When can controls tested by an auditor in a prior year be used in the current year’s audit assessment?
Controls tested by auditor in a prior year can be used in the current year’s audit assuming they are re-tested every third year
Exception If the control has changed since the last audit
What happens if Internal Controls are deficient?
Control Risk increases
Scope of substantive procedures increases
Detection Risk decreases
Material Weakness - Reasonable possibility that a material misstatement in Financial Statements would not be found- more than a remote chance of occurrence
What is a Material Weakness?
Reasonable possibility exists that a material misstatement in Financial Statements would not be found- and has more than a remote chance of occurrence.
What does Tracing test?
Tests Completeness
Starts with source document and traces forward to the journal entry.
What does Vouching test?
Tests Existence.
Starts with a journal entry and searches for a voucher or source document to support the entry.
What activities represent Segregation of Duties?
Non-compatible duties performed by separate individuals- such as
Authorization of asset disbursement vs. Recording of Assets vs. Custody of assets
If supporting audit evidence doesn’t exit - use Observation and Inquiry
Accounting should be segregated from Production
With respect to signing checks - how are duties segregated?
Employees who prepare vouchers/invoices should not also have the authority to SIGN CHECKS
Tip - Remember this as an underlying theme with Segregation of Duties. The authority to make a payment should not also lie in the hands of those creating invoices/vouchers. Why? People commit fraud by setting up fake companies and basically paying themselves
With respect to custody of assets - how should duties be segregated?
Employees who have custody of assets should not also RECORD those assets
Someone in charge of petty cash should not also control the petty cash records
Treasury Department (custodians) should NOT have record keeping duties
They control assets and should not be able to adjust any recording of those assets
What are the limitations on Control Activities?
Controls can’t stop collusion or bad judgment
Management can override controls
Cost vs. Benefit relationship of Internal Control
What is required if a Material Weakness is identified?
A written report to management is required.
Report declaring that no material weaknesses were found is allowed
Previous weaknesses reported that still exist should be reported again
Should be reported no later than 60 days after audit report release date
If one or more material weaknesses is uncorrected at year-end- an Adverse Opinion on Internal Control must be given
What is the effect of a Significant Deficiency? What is it?
A significant deficiency adversely affects a company’s ability to report in the financial statements according to GAAP.
A significant deficiency is a more than a remote likelihood of material misstatement by more than an inconsequential amount
What must occur if a Significant Deficiency is identified?
If a Significant Deficiency is identified- a written report to management required
Report declaring that no significant deficiencies exist is not allowed
Previous deficiencies reported that still exist should be reported again
Should be reported no later than 60 days after the audit report release date
What is a Control Deficiency?
A control is not operating as intended.
What must an auditor ask if using the work of third parties?
Are they competent?
Are they objective?
What must an auditor understand with respect to internal auditors?
Auditor needs to understand the role of Internal Auditors within the organization because their work affects the audit plan
Responsibility for judgments about materiality or appropriateness of entries or estimates cannot be shared with third parties like Internal Auditors
Internal Auditors should be asked to do some of the legwork like preparing schedules or running reports
They should not be asked to make any decisions or judgments
What is required in an examination of Internal Control under Sarbanes-Oxley?
CEO/CFO must disclose deficiencies
Management must provide assessment of Internal Controls
Management must certify Financial Statements
What is the relationship between Internal Control and Substantive Testing?
Has inverse relationship
Stronger Internal Control results in LESS substantive testing
Weaker Internal Control leads to MORE substantive testing
What are the three objectives of Internal Control?
Reliability of Financial Reporting
Operational Efficiency/Effectiveness
Compliance with Law and Regulations
What are the five components of Internal Control?
Control Activities
Risk Assessment
Information and Communications
Monitoring
Control Environment
What are the components of the Control Environment?
Integrity/Ethics of Management
Competence of Management
Organizational Structure
Human Resources Policies
Assignment of Authority/Responsibility
Management’s Style (riskier with a dominant/aggressive individual)
Board/Audit Committee involvement
What happens when Control Risk is below the maximum level?
Auditor tests Internal Controls.
Auditor evaluates Control Risk based on tests
Auditor adjusts substantive tests accordingly
Weaker Internal Control - More substantive tests
Stronger Internal Control - Less substantive tests
What should an auditor understand with respect to Information and Communication on an audit?
Understand Client’s
Major transaction classes
Transaction initiation
Support records/documents
Transaction processing
Financial Statement internal reporting process
Financial Statement external communication process
How must an auditor document understanding of Internal Control?
Auditor must document understanding of Internal Control via Memos - Flowcharts - Questionnaires
What is the purpose of testing Internal Controls?
Auditor needs reasonable assurance that controls are functioning as designed and effective
Internal Control Testing should be strong as (IRON) so that nothing gets past them
Inquiry - Interview company personnel
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documents
If results are as expected - substantive procedures do not need to be adjusted
When is an audit of IT NOT required?
Controls are redundant to another department
The system does not appear to be reliable and testing controls would not be an efficient use of time
Costs exceed benefit
When can an audit of IT be performed without directly interacting with the system?
System isn’t complex or complicated
System output is detailed
What is the role of a Database Administrator?
Maintains database
Restricts access
Responsible for IT internal control
What is the role of a Systems Analyst?
Recommends changes or upgrades
Liaison between IT and users
What is the role of the data Librarian?
Responsible for disc storage
Holds system documentation
What is the benefit of Generalized Audit Software in an audit?
Uses computer speed to quickly sort data and files- which leads to a more efficient audit
Compatible with different client IT systems
Extracts evidence from client databases
Tests data without auditor needing to spend time learning the IT system in detail
Client-tailored or commercially produced
What is a Relational Database?
Group of related spreadsheets
Retrieves information through Queries
What is a Data Definition Language?
A language that defines a database and gives information on database structure.
It maintains tables- which can be joined together.
It establishes database constraints.
What functions are performed by a Data Manipulation Language?
Maintains and queries a database
Auditor needs information- so client uses DML to get the information needed
What functions are performed by a Data Control Language?
A Data Control Language controls a database and restricts access to the database.
What are Check Digits?
A numerical character consistently added to a set of numbers.
It makes it more difficult for a fraudulent account to be set up or go undetected.
What is the purpose of a Code Review?
A Code Review tests a program’s processing logic.
Advantageous because auditor gains a greater understanding of the program.
What is the purpose of a Limit Test?
Examines data and looks for reasonableness using upper and lower limits to determine if data fits the correct range.
Did anyone score higher than 100%?
What is the Test Data Method?
Auditor processes data with client’s computer - fake transactions are used to test program control procedures.
Each control needs to only be tested once
Problem with this method - fake data could combine with real data.
How can Operating Systems Logs be utilized during an audit?
Auditor can review logs to see which applications were run and by whom.
What is the purpose of Access Security Software?
Helpful in online environments
Restricts computer access - may use encryption.
How can Library Management Software assist with an audit?
Library Management Software logs any changes to system/applications etc.
How can Embedded Audit Modules in software be utilized in an audit?
Assist with audit calculations
Enable continuous monitoring in an audit environment that is changing
Weakness: requires implementation into the system design
Example: SCARF - Collects information based on some criteria and can be analyzed at a later time (necessary because the audit environment is continually changing)
What is an Audit Hook?
An Audit Hook is an application instruction that gives auditor control over the application.
What is the purpose of Transaction Tagging?
Transaction Tagging allows logging of company transactions and activities.
How do Extended Records assist in audit trail creation?
Extended Records add audit data to financial records.
How does Real Time Processing affect an audit?
Destroys prior data when updated
aka Destructive Updating
Requires well-documented Audit Trail
What is the risk of auditing System outputs versus Application outputs?
If the auditor only audits the outputs of a computer system and doesn’t also audit the software applications- an error in the applications could be missed.
What is a Compiler?
Software that translates source program (similar to English) into a language that the computer can understand
How is Parallel Simulation utilized during an audit?
Client data is processed using Generalized Audit Software (GAS)
Sample size can be expanded without significantly increasing the audit cost
GAS output compared to client output
What does auditing internal control in a company’s IT environment accomplish?
Plan the rest of audit- Shorter audit trails that may expire- Less documentation
Assess the level of Control Risk - Unauthorized access to systems or data is more difficult to catch
Systems access controls adds another layer to separation of duties analysis
Focus should be on the general controls- new systems development- current systems changes- and program or data access control or computer ops control changes
What is the majority of an auditor’s work in determining an audit opinion?
Collection of evidence to support the opinion.
Of what does audit Evidence consist?
Evidence consists of client accounting data and supporting documentation from client or from third parties.
What is the relationship between Evidence and Detection Risk?
Evidence has an inverse relationship with Detection Risk
The one aspect of Audit Risk an auditor can control through (N)ature (T)iming (E)xtent of audit procedures.
Inherent Risk and Control risk are outside of auditor’s control.
Which aspects of Audit Risk can an auditor control?
Detection Risk which is decreased by gathering evidence.