ch 7 review (exam 2) Flashcards
management must do what in regards to assessment of internal controls
- ________________ for effectiveness of ICs over financial reporting
- _________________ the effectiveness of ICs over financial reporting
- _________________ to support its evaluation
- _________________ of effectiveness of ICs over financial reporting at the end of the fiscal year
-accept responsibility
- evaluate
-document
-present written assessment
what is SOC section 404
management assessment of internal controls
what is SOX section 302
CEO and CFO must annually certify, in writing, the effectiveness of ICs over financial reporting only
CEO and CFO must annually certify, in writing, _____________________________
the effectiveness of IC over financial reporting only
In the PCAOB, an audit of ICFR is ____________ with an audit of financial statements
integrated
an auditor must _______________ on whether the company maintained effective internal control over financial reporting
issue an opinion
What two audit reports are issued at the conclusion of the audit (separate or combined)
- opinion on financial statements
- opinion on ICs
what is an integrated audit
two audit reports at the conclusion of the audit
what are two types of controls
preventive and detective
what is a preventive control
applied to each transaction to stop or prevent error from happening
what is a detective controls
applies. after the transaction has occurred
what is a manual control
do not rely on the client’s IT environment for their operation
what is an automated control
controls generally rely on the client’s IT applications (or software) in some way
examples of preventive controls
-accuracy, valuation, and allocation
- occurence
- accuracy
- classification
examples of detective controls
- completeness
- occurence
- completeness, occurrence,
cutoff - completeness, classification
- accuracy
what is the acronym for procedures for testing internal controls
R I I O
What do the letters in R I I O stand for
Reperformance, Inquiry, Inspection of physical evidence, Observation
what controls should be tested?
matter of professional judgement
what are relevant controls
relevant controls are controls the auditor plans to rely on
significant changes equals a(n) ___________ in risk
increase
the extent that controls should be tested refers to _________
sample size
what are three things determined by the auditor before selecting a sample size
-desired level of assurance
-expected rate of deviation in the population
- tolerable deviation rate
what is the desired level of assurance
how confident does the auditor need to be that control is working
a higher level of desired assurance means a ________ sample size
larger
expected rate of deviation
the rate at which the auditor expects controls to NOT function
tolerable deviation rate (TDR)-
maximum rate of deviation from the control the auditor is willing to accept and still rely on the control
Example of tolerable deviation rate: TDR is 6%. If there were 50 voucher packages sampled for AP and found 4 exceptions would the control function as intended?
NO; 4/50 = 8%; do not rely on the IC
Example of tolerable deviation rate: TDR is 6%. If there were 50 voucher packages sampled for AP and found 2 exceptions would the control function as intended?
YES; 2/50=4% ; may rely on internal controls
how do auditors determine sampling size
professional judgement
when is interim
3rd quarter/ early 4th quarter
What part of NET is when should controls be tested?
Timining
Updated from interim to YE by ____________ and __________
inquiry and observation
benchmarking for computer application control
use evidence from PY of nothing has changed with IT application controls
In step 7 of the assessing control risk, your IC testing will
confirm expectations or not
in step seven review/ revise ___________ as needed
audit strategy
what is step 8 in assessing control risk
reporting IC deficiencies to managememt
What is the management letter
An in writing communication from the auditors to those charged with governance with observations regarding material weaknesses and significant deficiencies
Which reporting standards require a management letter
ASB and PCAOB (private and public)
are management letters provided to the public for private companies?
NO
are management letters provided to the public for public companies?
NO
Can there be more than one management letter throughout the audit?
Yes
management letter allows management to ________________________
take action to improve ICs in a timely manner
For public companies, auditors form an _________________
opinion on the effectiveness of IC over financial reporting
is an opinion on the effectiveness of IC over financial reporting provided for private companies
no
what is an unqualified opinion on ICFR
no material weaknesses in internal controls (company maintained effective internal controls)
what is an adverse opinion on the effectiveness of ICFR
1 material weakness (or more) ; did not maintain effective internal controls
what is a disclaimer on ICFR
material scope limitation; could not do work; no opinion
is an attestation service say __________ instead of audit
examined
a SOC 1 Type 2 report is prepared by __________ and _______________
service organization and service auditor
the SOC 1 Type 2 report in provided to the ____________- and _______________
user entity and user auditor