CHAPTER 1 - AUDITING, ASSURANCE AND INTERNAL CONTROLS Flashcards
_________is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and establishing criteria and communicating the results to interested users.
Auditing
_____independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization
Internal Auditing
The _________________requires all publicly traded companies be subject to a financial audit annually.
Securities and Exchange Commission (SEC)
Provide audit services where processes or data, or both, are embedded in technologies.
IT audits
An __________ is an independent attestation performed by an expert—the auditor—
who expresses an opinion regarding the presentation of financial statements.
external audit
________ is an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party
Attest service
_______are professional services offered by public accounting firms to improve their client organizations’ operational efficiency and effectiveness.
Advisory Services
_________are often certified as a Certified Internal Auditor (CIA) or a Certified Information Systems Auditor (CISA).
Internal auditors
True or false
External auditors represent outsiders, internal auditors represent the interests of the organization.
True
The objective of this type of audit is to investigate anomalies and gather evidence of fraud that may lead to criminal conviction.
fraud audit
Fraud auditors have earned the ___________ certification, which is governed by the Association of Certified Fraud Examiners (ACFE)
Certified Fraud Examiner (CFE)
The ________of publicly traded companies form a subcommittee known as the audit committee, which has special responsibilities regarding audits
board of directors
This committee usually consists of three people who should be outsiders (not associated with the families of executive management nor former officers, etc.). With the advent of the Sarbanes-Oxley Act, at least one member of this committee must be a “financial expert.”
audit committee
The ________serves as an independent “check and balance” for the internal audit function and liaison with external auditors.
audit committee
who hire and fire auditors and resolve disputes?
Audit Committee
The product of the attestation function is a________ that expresses an opinion about the reliability of the assertions contained in the financial statements.
formal written report
The _____________affirms that all assets and equities contained in the balance sheet exist and that all transactions in the income statement actually occurred
existence or occurrence assertion
The ______ assertion declares that no material assets, equities, or transactions have been omitted from the financial statements
completeness
The ________assertion maintains that assets appearing on the balance sheet are owned by the entity and that the liabilities reported are obligations.
rights and obligations
The __________ assertion states that assets and equities are valued in accordance with GAAP and that allocated amounts such as depreciation expense are calculated on a systematic and rational basis
valuation or allocation
The ____________ assertion alleges that financial statement items are correctly classified (e.g., long-term liabilities will not mature within one year) and that footnote disclosures are adequate to avoid misleading the users of financial statements
presentation and disclosure
_______ is the probability that the auditor will render an unqualified (clean) opinion
on financial statements that are, in fact, materially misstated.
Audit risk
_______is associated with the unique characteristics of the business or industry of
the client. This is also the probability that material misstatements have occurred
Inherent Risk
PPT definition: The probability that the internal controls will fail to detect material misstatements
Book Definition: is the likelihood that the control structure is flawed because controls
are either absent or inadequate to prevent or detect errors in the accounts.
Control Risk
PPT: The probability that the audit procedures will fail to detect material misstatements
Book: is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor
Detection risk
The audit risk model is:
AR = IR × CR × DR
An_________ focuses on the computer-based aspects of an organization’s information system; and modern systems employ significant levels of technology.
IT audit
Before the auditor can determine the nature and extent of the tests to perform, he or she must gain a thorough understanding of the client’s business. A major part of this phase of the audit is the analysis of audit risk.
Audit Planning
Note: This is the first step in the IT audit
Review Organization’s Policies, Practices, and Structure
I
Review General Controls and Application Controls
I
Plan Tests of Controls and Substantive Testing Procedures
The techniques for gathering evidence at this phase include conducting questionnaires, interviewing management, reviewing systems documentation, and observing activities.
Audit planning
The objective of the this phase is to determine whether adequate internal
controls are in place and functioning properly.
> > The evidence-gathering techniques used in this phase may include both manual techniques and specialized computer audit techniques.
Tests of controls
Note: This is the 2nd step in an IT audit.
Perform Tests of Controls
I
Perform Tests of Controls
I
Determine Degree of Reliance on Controls
At the conclusion of the_______ phase, the auditor must assess the quality of the internal controls by assigning a level for control risk.
tests-of-controls
The third phase of the audit process focuses on financial data.
This phase involves a detailed investigation of specific account balances and transactions through what are called substantive tests.
Substantive Testing
In an IT environment, the data needed to perform substantive tests (such as account balances and names and addresses of individual customers) are contained in data
files that often must be extracted using _________________software.
Computer-Assisted Audit Tools and Techniques (CAATTs)
is … policies, practices, procedures … designed to …
»safeguard assets
»ensure accuracy and reliability
»promote efficiency
»measure compliance with policies
Internal Control
The __________ had two main objectives:
(1) require that investors receive financial and other significant information concerning securities being offered for public sale; and
(2) prohibit deceit, misrepresentations, and other fraud in the sale of securities.
Securities Act of 1933
the ________, created the Securities and Exchange Commission (SEC) and empowered it with broad authority over all aspects of the securities industry, which included authority regarding auditing standards.
Securities Exchange Act 1934
This law, which has had multiple revisions, added software and other intellectual properties into the existing copyright protection laws
Copyright Law–1976
Following the series of S&L scandals of the 1980s, a committee was formed to address
these frauds. Originally, the committee took the name of its chair, Treadway, but eventually the project became known as COSO (Committee of Sponsoring Organizations). The sponsoring organizations included:
Financial Executives International (FEI)
Institute of Management Accountants (IMA)
American Accounting Association (AAA), AICPA, and the IIA.
this law supports efforts to increase public confidence in capital markets by seeking to improve corporate governance, internal controls, and audit quality.
Sarbanes-Oxley Act of 2002
This concept holds that the establishment and maintenance of a system of internal control is a management responsibility. Although the FCPA supports this principle, SOX
legislation makes it law!
Management Responsibility
The internal control system should provide _______ that the four broad objectives of internal control are met
reasonable assurance
___________is a shield that protects the firm’s assets from numerous undesirable events that bombard the organization
internal control system
What are the three levels of control?
Preventive Control
Detective Control
Corrective Control
This is the first line of defense in the control structure.
Also, these are passive techniques designed to reduce the frequency of occurrence of undesirable events.
Preventive controls
These are devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls. ________also reveal specific types of errors by comparing actual occurrences to preestablished standards.
Detective Controls
Detective controls identify undesirable events and draw attention to the problem; _______ actually fix the problem.
corrective controls
The _________is conceptually pleasing but offers little practical guidance or designing or auditing specific controls
PDC control model
The_________sets the tone for the organization and influences the control awareness of its management and employees.
control environment
Organizations must perform a___________to identify, analyze, and manage risks relevant to financial reporting.
risk assessment
> > Initiate, identify, analyze, classify and record economic transactions and events.
Identify and record all valid economic transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions
Information and Communication
______ is the process by which the quality of internal control design and operation can
be assessed. This may be accomplished by separate procedures or by ongoing activities.
Monitoring
_________ are the policies and procedures used to ensure that appropriate actions
are taken to deal with the organization’s identified risks.
Control activities
This class of controls relates primarily to the human activities employed in accounting
systems. These activities may be purely manual, such as the physical custody of assets,
or they may involve the physical use of computers to record transactions or update
accounts.
Physical Controls
The purpose of____________ is to ensure that all material transactions processed by the information system are valid and in accordance with management’s objectives. A
transaction authorization
One of the most important control activities is the segregation of employee duties to minimize incompatible functions.
Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs. DP of inventory]
Fraud requires collusion [e.g., separate various steps in process]
This is often called a compensating control.
supervision
Serves as compensating control when lack of segregation of duties exists by necessity
Supervision
The _______ of an organization consist of source documents, journals, and ledgers. These records capture the economic essence of transactions and provide an audit trail of economic events.
accounting records
The _______helps employees respond to customer inquiries by showing the current status of transactions in process
audit trail
The purpose of _________ is to ensure that only authorized personnel have access to the firm’s assets. Unauthorized access exposes assets to misappropriation, damage, and theft. Therefore, access controls play an important role in safeguarding assets.
access controls
_________ are independent checks of the accounting system to identify errors and misrepresentations
Verification procedures
The objectives of ___________are to ensure the validity, completeness, and accuracy of financial transactions.
application controls
_______include controls over IT governance, IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program change procedures.
General controls
Are labor intensive and time consuming, which drives up audit costs and cause disruption
Substantive tests
Key concept of external audits
Independence
Three classes of auditing standards:
- General qualification
- Field work
- Reporting
