Audit 3: Engagement acceptance & understanding the assignment Flashcards
What does auditor need to assess before accepting the audit?
Ability to meet reporting deadlines
Ability to staff engagement
Independence Integrity of client mgmt
Group Audit work to be done
Required Contents of Engagement letter
The Objective and Scope of the Audit
The Responsibilities of the Auditor,
The Responsibilities of Mgmt
Stmt about inherent limitations of audit
ID of applicable framework
Reference form and content of reports
For Recurring audits when do changes need to be made
Significant changes in ownership or nature or size of business
Changes in mgmt, legal, reporting framework etc
PCAOB Nature, Extent and Timing (NET) rules are based on… A3-10
Size and complexity of client
Previous experience with client
Changes in circumstances during audit
The Nature, Extent and Timing of Supervision depend on..
Size and complexity of entity
Nature of the work
Assessed risk of material misstatement
Qualifications of assisstants
Performance materiality is…
Amount less than material for fin stmts as a whole to reduce the level of misstatement of aggregate undetected or uncorrected misstatements
Tolerable misstatement is…
the maximum error in a population that the auditor is willing to accept
Substantive procedures are… what do they include
procedures used to detect material misstatement include Test of details Analytical procedures
What are the main assertions of financial stmts
COVERU
Completeness
CutOFF
Valuation, accuracy and allocation
Existence and Occurrence
Rights and Obligations
Understandibility and Classification
Audit plan is
Written plan that is required for every audit Says what procedure are necessary to complete the audit
Procedures:
- Risk assessment req- obtain understanding of compan and IC
- Further audit procedures- test of controls (effectivness of IC), substanctive procedures (detect mat miss test of details)
- other procedures (letter to attorney)
- Timing: MGMT discussion about NET
Internal auditors…
Cannot share responsibility or be depended upon items with high risk of material misstatements or high degree of subjectivity
Use of work of Internal Auditor depends on their
Competence Objectivity Application of disciplined approach
Audit Risk Model Shows what..
The risk that the auditor will issue the wrong opinion–> SHOULD BE AS LOW AS POSSIBLE
Audit Risk Equation …
Audit Risk= Risk of Material Misstatement (Inherent x Control Risks) x Detection Risk
Risk of Material Misstatement =
Inherent Risk x Control Risk
Inherent Risk is
the chance of a material misstatement assuming no controls (based on judgment - detection)
Control Risk is..
the chance a material misstatement would not be caught by the internal controls in a timely bases (prevention).
Detection Risk is…
the chance that the auditor doesnt catch a material misstatement in assertion, the only risk controlled by the auditor!
What should auditor do if risk of material misstatement (RMM) is judged to be high?
Detection Risk should be set low
–> MORE WORK–>LESS RISK ACCEPTED
How can the auditor change detection risk?
By changing the Nature Extent Timing of Audit Procedures
Fraud versus Error
Error=unintentional
Fraud=Intentional
Fraud Risk Factors
POR
Pressure
Opportunity
Rationalization
What needs to be done communication wise if fraud suspected?
Communicate at least one level above mgmt where fraud is suspected, if no higher authority –> get legal advice. It is not auditor’s responsability to report to regulatory and enforcement authorities
Auditor’s responsibility with compliance to laws and regulations?
Provide Reasonable assurance that the financial stmts are free from Material misstatement due to non-compliance NOT responsible for prevent noncompliance and not supposed to detect all of it
Procedures related to Noncompliance
Get Mgmt Rep letter
Understand:
- Legal and Regulatory Framework
- How entity is complying with that framework
Noncompliance issue has effect on fin stmts what sort of opinion?
GAAP So Except for or Adverse
How to Assess the Risks of Material Misstatement?
I’M A CPA
Internal control unsderstanding- assess
Material misstatement assessment
Asses level of risk respond- other procedures
Control test
Perform substantive procedures
Audit evidance - evaluate sufficiency and appropriatness
What are the components for the COSO framework for Internal Control
CRIME
Control Environment, overall tone
Risk Assessment by Mgmt
Information and Communication
Systems Monitoring of internal control
Existing control activities
Strong Control System has what
PAIDTIPS
Prenumbered documents
Authorization of transactions
Independent Checks
Documentation
Timely performance reviews
Information Processing Controls
Physical Controls for guarding assets
Segregation of Duties
Segregation of duties sections
ARC
Authorization
Record Keeping
Custody of Assets
IC Documentation may include
FIND
- Flowchart
- Internal control questionnaire or checklist
- Narrative
- Documentation from the client (including copies of the entity’s procedures manuals and organizational charts).
Auditor Evidence Hiearchy
AEIOU
Auditor Knowledge
External evidence
Internal Evidence
Oral Evidence
U Know it
Substantive Procedures include
Acct balances
Analytical Procedures
Ratios
Financial House for vouching and tracing
Financial Stmts
Trial Balance
General Ledger
Sub-ledgers
Books
Documents
Events
For Vouching and Tracing what do you need to do?
Vouching go from top to bottom of financial house Tracing the bottom to top of the house
When does current auditor need to talk to prior auditor?
Before ACCEPTING engagement
Other items in engagement letter
Arrangement with predecessor auditor
Fees and billing
Further discussions with mgmt
What should auditor do if they discover opening account balance is wrong?
Get mgmt to have 3 party meeting with predecessor auditor
New auditor should ask old auditor… A3-8
About Mgmt integrity Disagreements with mgmt
Reason for the change in auditors
Communication to mgmt, audit committee
How to assess the objectivity of Internal Auditors
use standards developed by The Institute of Internal Auditors
Can internal auditors help with any or all understanding internal control performing test of controls performing substantive tests
Yes to all
When to mention a specialist in auditor’s report?
ONLY When giving less than unmodified opinion if unmodified dont mention
If an assistant has disagreement with opinion reached what should they do?
Document the details of the disagreement with the conclusion reached
An auditor should obtain sufficient knowledge of info system to understand?
Process used to prepare significant accounting estimates
When should an auditor determine whether internal controls are operating effectively?
Should be determined AFTER obtaining an understanding of internal control
Should only be determined for specific controls upon which auditor is going to rely
Management directives are part of what group?
Control Activities Not Info and Communication
Types of Service Organization Reports
Type 1= Report on Design and implementation Gives No Evidence to Reduce Risk
Type 2=Report on Design and Operating Effectiveness Does Give Evidence to Reduce Risk
Can a primary auditor refer to service organization auditor in audit report?
No
What sort of information that noncompliance may occur with laws and regulations may be occuring?
Checks made to cash Bearer bonds Transfers to numbered accounts
Communication with predecessor before acceptance
Mandatory! Mgmt integrity disagreements reasons for the change communication req fraud
Communication with predecessor after acceptance
matters that may facilitate the evaluation of fin rep consistency between current and prior years
Assessing internal auditor objectivity
- previous experiance
- level to which ia reports (mgmt or committee)
- external quality reviews
- professional internal auditing standards
Assessing competence of internal auditor
- education
- profesional certification
- experiance performance evaluation
- quality of audit documentation
Risk assessment required documentation
discussion amont team
key elements of understanding
assessment of RMM
ID of risks and related controls
(the more complex–> the more doc)
Preventive controls
designed to provide reasonable assurance that only valid transactions are recognized, approved and submitted for processing.
Control environment
overall tone of the organization (integrity, competence, and participation of those charged w/governance, mgmt., philosophy, organizational structure, and assignment of responsibility, human resource responsibility.
Risk assessment
identification and analysis of risks (by mgmt.) to achievement of its objectives.
Information and communication system
support the identification, capture and exchange of information in a timely and useful manner_. Accounting processing_- from initiation of transaction to inclusion in the FS,. The accounting records- supporting information, and specific accounts involved in initiating, authorizing, recording, processing and reporting transactions. Financial reporting process - includes the development of significant accounting estimates and the inclusion of appropriate disclosures.
Monitoring
assess the quality of internal control over time.
Existing and control activities
policies and procedures that help to ensure that management directives are carried out and the necessary steps to address those risk are taken. (Authorization, segregation of duties, safeguard of assets, assets accountability)
Control activities relative to an audit include (PAID TIPS)
Detective controls
designed to provide reasonable assurance those errors or irregularities are discovered and corrected on a timely basis
Under IT system segregation of duties should be:
COPAL
- Control Group (internal auditor)
- Operators (Employee who input data)
- Programmers (person who wrote/design the program)
- Analysts (System analyst, who set up the system/ flow of item)
- Librarian (person who hold the keys or access to the various programs)
Note: When one person oversees/ supervise another are OR working in another IT area in the IT system, is a “Weakness”
