CH 3 AUDITING & IT Flashcards
What should be included for the Auditor’s address?
The City and State where located
What is Management Responsible for in regards to the Financial Statements?
Preparation and Fair Presentation of Financial Statements in accordance with the Applicable Financial Reporting Framework
What is Management Responsible for in regards to Internal Control?
Internal Control Design, Implementation, Maintenance
What are the headings in the Audit Report for an Unmodified Opinion?
(TIM-AA) Title; Introduction; Management Responsibility; Auditor Responsibility; Audit Opinion
What are the headings in the Audit Report for an Modified Opinion?
(TIMA-BA) Title; Introduction; Management Responsibility; Auditor Responsibility; Basis for (Modified) Opinion; Audit Opinion
In an Unmodified Opinion with Emphasis-of-Matter / Other-Matter sections, what is the order of the headings?
(TIM-AA EMO) Title; Introduction; Management Responsibility; Auditor Responsibility; Audit Opinion; Emphasis-of-Matter; Other-Matter
What are the requirements for referencing a Component Auditor in the Audit Report?
Component Financial Statements must be prepared using same Financial Reporting Framework as the Group Financial Statements; Component Auditor must have performed audit in accordance with GAAS or PCAOB Standards.
What must the Group Engagement Partner do if they assume responsibility for the Component Auditor’s work?
Perform additional audit procedures; Be involved in Component Auditors work; Perform Risk Assessment procedures; Assess Risk of Material Misstatement
What standards govern SSARS engagements?
Compilations are governed by SSARS (Statements on Standards for Accounting and Review Services)
Which clients can have compilation engagements?
Non-SEC (non-public) registrants only.
What is a Compilation?
Accountant puts together financial statements with information PROVIDED BY MANAGEMENT. No opinion is expressed and no assurances are given. Independence is not required.
What disclosures are required for Compilation engagements?
Disclosures not necessary must state that they are not included
What standards govern Review engagements?
SSARS (Statements on Standards for Accounting and Review Services)
What type of assurance is given in a Review engagement?
Reviews give limited assurance.
What procedures are required for Review engagements?
Analytical procedures are required for reviews. Compare results to documented predictions.
What is a Review engagement?
Financial statements are presented with no opinion expressed- and limited assurances are given. Independence is required for a review engagement.
What is a Forecast?
A prospective financial statement that uses normal circumstances. General and limited use allowed.
What is a Projection?
A prospective financial statement using hypothetical situations. Only limited use by the client is allowed.
What are the requirements for Agreed Upon Procedures?
Independence is required; Only limited use by the client is allowed.
What disclosures are required for remote likelihood of losses?
No disclosure required.
What disclosure is required for a probable loss contingency?
Accrue if estimable. Emphasis-of-Matter paragraph if not estimable.
What disclosure is made if a loss contingency is reasonably possible?
Auditor assesses need for Emphasis-of-Matter paragraph based on loss likelihood.
How is a gain contingency reported?
Gain contingencies are not reported.
How does an immaterial GAAP issue affect the audit opinion?
It doesn’t. Opinion is Unmodified.
How does a very material GAAP issue affect the Audit Report?
Modified-Adverse Opinion is issued. Emphasis-of-Matter paragraph is added after Opinion paragraph.
How do GAS standards compare to GAAS?
GAS is more strict than GAAS.
What is required under the Single Audit Act?
Funding Threshold is $750,000. An audit performed under governmental auditing standards (GAS). A report on internal control is required. GAAS and GAS don’t require the I/C report.
When is an audit of IT NOT required?
Controls are redundant to another department
The system does not appear to be reliable and testing controls would not be an efficient use of time
Costs exceed benefit
When can an audit of IT be performed without directly interacting with the system?
System isn’t complex or complicated
System output is detailed
What is the role of a Database Administrator?
Maintains database
Restricts access
Responsible for IT internal control
What is the role of a Systems Analyst?
Recommends changes or upgrades
Liaison between IT and users
What is the role of the data Librarian?
Responsible for disc storage
Holds system documentation
What is the benefit of Generalized Audit Software in an audit?
Uses computer speed to quickly sort data and files- which leads to a more efficient audit
Compatible with different client IT systems
Extracts evidence from client databases
Tests data without auditor needing to spend time learning the IT system in detail
Client-tailored or commercially produced
What is a Relational Database?
Group of related spreadsheets
Retrieves information through Queries
What is a Data Definition Language?
A language that defines a database and gives information on database structure.
It maintains tables- which can be joined together.
It establishes database constraints.
What functions are performed by a Data Manipulation Language?
Maintains and queries a database
Auditor needs information- so client uses DML to get the information needed
What functions are performed by a Data Control Language?
A Data Control Language controls a database and restricts access to the database.
What are Check Digits?
A numerical character consistently added to a set of numbers.
It makes it more difficult for a fraudulent account to be set up or go undetected.
What is the purpose of a Code Review?
A Code Review tests a program’s processing logic.
Advantageous because auditor gains a greater understanding of the program.
What is the purpose of a Limit Test?
Examines data and looks for reasonableness using upper and lower limits to determine if data fits the correct range.
Did anyone score higher than 100%?
What is the Test Data Method?
Auditor processes data with client’s computer - fake transactions are used to test program control procedures.
Each control needs to only be tested once
Problem with this method - fake data could combine with real data.
How can Operating Systems Logs be utilized during an audit?
Auditor can review logs to see which applications were run and by whom.
What is the purpose of Access Security Software?
Helpful in online environments
Restricts computer access - may use encryption.
How can Library Management Software assist with an audit?
Library Management Software logs any changes to system/applications etc.
How can Embedded Audit Modules in software be utilized in an audit?
Assist with audit calculations
Enable continuous monitoring in an audit environment that is changing
Weakness: requires implementation into the system design
Example: SCARF - Collects information based on some criteria and can be analyzed at a later time (necessary because the audit environment is continually changing)
What is an Audit Hook?
An Audit Hook is an application instruction that gives auditor control over the application.
What is the purpose of Transaction Tagging?
Transaction Tagging allows logging of company transactions and activities.
How do Extended Records assist in audit trail creation?
Extended Records add audit data to financial records.
How does Real Time Processing affect an audit?
Destroys prior data when updated
aka Destructive Updating
Requires well-documented Audit Trail
What is the risk of auditing System outputs versus Application outputs?
If the auditor only audits the outputs of a computer system and doesn’t also audit the software applications- an error in the applications could be missed.
What is a Compiler?
Software that translates source program (similar to English) into a language that the computer can understand
How is Parallel Simulation utilized during an audit?
Client data is processed using Generalized Audit Software (GAS)
Sample size can be expanded without significantly increasing the audit cost
GAS output compared to client output
What does auditing internal control in a company’s IT environment accomplish?
Plan the rest of audit- Shorter audit trails that may expire- Less documentation
Assess the level of Control Risk - Unauthorized access to systems or data is more difficult to catch
Systems access controls adds another layer to separation of duties analysis
Focus should be on the general controls- new systems development- current systems changes- and program or data access control or computer ops control changes