Chapter 3 Flashcards
Before the auditor accepts an engagement, what communication between teh predecessor and the auditor should be made?
Obtain client’s permission to make inquiries of the predecessor auditor
Specific inquiries include:
- Information that might bear on management intergrity;
- Disagreements with managment over accounting principles, auditing procedures, or similarly significant matters;
- The predecessor’s understanding as to the reasons for the change of auditors, and
- Communication to managment, the audit committee, and those charged with governance regarding fraud, illegal cats by clients, and matters relating to internal control
After accepting the engagement, what communication between the auditor and the predecessor can be made?
The auditor may:
- Make specific inquiries regarding matters that may affect the conduct of the audit (e.g., audit problems)
- Review the predecessor’s audit documentation related to matters of continuing accounting and auditing significance
Note that the auditor should notmake reference to teh work of the predecessor as the basis for the opinion
What should the auditor assess when considering the firm’s client acceptance and continuance policies?
The auditor should assess:
- The firm’s ability to meet reporting deadlines
- The firm’s ability to staff the engagement
- Independence
- Integrity of client management
- The group engagement’s team ability to obtain sufficient appropriate audit evidence
What topics should be included in the agreement to audit engagement terms? What is the purpose of establishing such an understanding?
An understanding should include:
- Objectives and the scope of the audit
- Management’s responsibilities
- The auditor’s responsibilities
- The limitations of the engagement
- Other matters such as timing, client assistance, fees and billing, etc.
The purpose of the agreement is to reduce the risk of misunderstanding. Note that an engagement letter documenting the understanding is a requirement under PCAOB standards.
Name the six main financial statement assertions for nonissuer and issuers
COVERU and CEO APPROVED
Nonissuer:
COMPLETENESS; CutOFF; VALUATION, allocation and accuracy; EXISTENCE and occurence; RIGHTS and obligations; UNDERSTANDABILITY and classification (COVERU)
Issuer:
COMPLETENESS; EXISTENCE, OCCURENCE (CEO)
ALLOCATION; PRESENTATION, RIGHTS, OBLIGATIONS, VALUATION; E; DISCLOSURE
(APPROVED)
Name the relevant assertinos for “transactions and events”
- Completeness
- (Prior period) Cutoff
- Accuracy
- Classification
- Occurence
Name the relevant assertions for “account balances”
- Completeness
- Allocation and Valuation
- Rights and Obligations
- Existence
Name the releveant assertions for “presenation and disclosure”
- Completeness
- Understandability and Classification
- Rights and Obligations, and Occurence
- Valuation and Accuracy
What is the audit strategy?
The audit strategy outlines the scope of the audit engagement, the reporting objectives, timing of the audit, and required communications, and the factors that determine the focus of the audit. The audit strategy also includes a preliminary assessment of materiality and tolerable misstatement
Define materiality and tolerable misstatement
Materiality is the amount of error or omission that would affect the judgment of a reasonable person. The auditor uses judgment to set the initial levels of materiality (including materiality for the F/S as a whole, performance materiality, and materiality for particular classes of transactions, account balances, and disclosures), and to revise them appropriately throughout the audit
Tolerable misstatement is the maximum error in a population that the auditor is willing to accept. Tolerable misstatement is the application of performance materiality to a particular sampling procedure.
What is an audit plan?
A written audit plan (required for every audit) is a listing of audit procedures that the auditor believes are necessary to accomplish the objectives of the audit. The audit plan typically follows development of the audit strategy.
What should be included in each step of the audit plan?
“We cast out NET over the audit!”
Each step of the audit plan should set out the procedure in detail, specifying the nature, extent and timing of the work to be performed and including a reference to the assertion under consideration.
N - NATURE
E - EXTENT
T - TIMING
List the 3 types of audit procedures and tell why each is used
Risk assessment procedures - To obtain an understanding of the entity and its environment, including its internal control
Tests of control - To evaluate the operating effectiveness of internal control in preventing or detecing material misstatements
Substantive procedures - To detect material misstatements in the F/S
What are the responsibilities of assistants when there are disagreements?
Assistants have a responsibility to exercise due professional care and to observe standards of fieldwork. They should bring any disagreements with the conduct of the audit to the attention of the auditor-in-charge
The assistant also has the right to document the disagreement and, if necessary, to disassociate from the opinion
What factors determine the amount of reliance an independent auditor may place on the work of internal auditors?
The following factors affect the amount of reliance:
- The objectivity of internal auditors (level of reporting within the organizational structure)
- The competence of internal auditors
- An evaluation of the work performed by internal auditors
Note that the external auditor remains soley responsible for the audit report, and mya not share judgment responsibility with the internal auditor
Should an auditor refer to the work of a specialst in the auditor’s report?
Generally, in the case of an unmodified opinion, no reference is made to the work of a specialist. If, however, the auditor decides to express a modified opinion due to the work of the specialst, reference to the specialist may be made. The auditor may need the permission from the specialist before making reference to the specialist.
Under the ISAs, the auditor is required to obtain permission from the specialist before making reference to the specialist in the report
Under PCAOB standards, what facotrs affect the nature and extent of necessary planning activities?
- The size and complexity of the company
- The auditor’s previous experience with the company
- Changes in circumstances that occur during the audit
According to PCAOB standards, what factors indicate less complex operations?
- Fewer business lines
- Less complex business processes and financial reporting systems
- More centralized accounting functions
- Extensive involvement of senior managment in day to day operations
- Fewer levels of management
The engagement partner is responsible for:
- Planning the audit
- Supervising the work of engagement team members
- Complying with relevant audit standards
What factors determine the nature, extent, and timing of supervision?
- The size and complexity of the entity
- The nature of the work assigned to each engagement team member
- The assessed risk of material misstatement
- The qualifications of the assistants
Distinguish between the 3 types of material misstatements
The 3 types of material misstatements are:
- Factual misstatements: There is no doubt
- Judgmental misstatements: Management and the auditor have material judgment differences on accounting estimates or the application of accounting policies
- Projected misstatements: This represents the auditor’s best estimate of misstatements in populations, by projecting misstatements in an audit sample to the population that the samples were drawn.
What is audit risk? List and define the two elements of audit risk
Audit risk is the risk that the auditor may unknowingly fail to modify appropriately the opinion on financial statements that are materially misstated. It is comprised of:
- Risk of material misstatement - The risk that the financial statements are materially misstated
- Detection risk - The risk that the auditor will not detect a material misstatement that exists in a relevant assertion
State the audit risk model including the relationship of detection risk to substantive tests
AR = RMM x DR
Where
RMM = Risk of material misstatement
DR = Detection risk
Note that as the acceptable level of detection risk increases, the assurance required from substantive tests decreases. As the acceptable level of detection risk decreases, the assurance required from substantive testing must increase
What are the two components of the risk of material misstatement?
Inherent risk:
The susceptibility of a relevant assertion to a material misstatement assuming there are no related controls.
Control risk:
The risk that a material misstatement that could occur in a relevant assertion will not be prevented or detected (and corrected) on a timely basis by the entity’s internal control
What is the difference between error and fraud?
State the auditor’s responsibility to detect errors and fraud.
An error is an unintentional misstatement or omission of amounts or disclosures in the F/S
Fraud is an intentional action that results in misstatements or omissions of financial information with the intent to deceive financial statement users
The auditor must plan and perform the audit (using due care and professional skepticsm) to provide reasonable (not absolute) assurance about whether the F/S are free of material misstatement, whether due to errors or fraud
Name the two types of fraud
- Fraudulent financial reporting
- Misappropriation of assets, of defalcation
What fraud risk factors are generally present when fraud occurs?
The 3 conditions that generally are present when fraud occurs are:
- Incentives/pressures;
- Opportunity; and
- Rationalization/attitude
The auditor identifies and evaluates these fraud risk factors as part of assessing the risk of material misstatement due to fraud
When analyzing fraud risk, which 4 attributes should the auditor consider?
The auditor should consider the following fraud risk attributes:
- Type of risk
- Significance of the risk
- Likelihood of the risk
- Pervasivenes of the risk
How would an auditor report noncompliance of a law or regulation assuming: 1) it has a material effect on the F/S; 2) there is insufficient evidence; or 3) the client refuses to accept a modified report?
Scenario 1: if not adequately reflected in the F/S a qualified opinion or adverse opinon should be issued
Scenario 2: If unable to obtain sufficient evidence of a suspected noncompliance, a qualified opinion or disclaimer of opinion should be issued
Scenario 3: If the client refuses to accept a modified report, the auditor should withdraw from the engagement and contact thos charged with governance in writing
Why is the auditor required to obtain an understanding of the entity and its environment?
To assess the risk of material misstatement and to make informed judgments about other audit matters such as:
- Materiality and tolerable misstatment
- The entity’s selection and application of accounting procedures
- Areas that require special audit consideration
- Design and performance of further audit procedures
What steps should the auditor perform in assessing and responding to risk?
- Obtain an understanding of the entity and its environment, including its internal control
- Assess the risk of material misstatement
- Respond to the assessed level of risk by designing further audit procedures based on this assessment
- Test internal controls to evaluate their operating effectiveness
- Perform substantive tests
- Evaluate the suffciency and appropriatness of audit evidence obtained
What risk assessment procedures should the auditor use to obtain an understanding of the entity and its enviroment?
Risk assessment procedures include:
- Inquiry
- Analytical procedures
- Observation and inspeciton
- Risk assessment discussion
What factors should be examined when obtaining an understanding of the entity and environment?
When obtaining an understanding of the entity and environment, the auditor should understand:
- Industry, regulatory, and other external factors
- The nature of the entity
- Objectives, strategies, and business risks
- The entity’s financial performance
- Internal control
- The company’s selection and application of accounting principles (issuer audits - PCAOB standards)
What are analytical procedures?
Evaluations of financial information made by a study of plausible relationships among both financial and nonfinancial data (e.g., ratio analysis).
Note: Analytical procedures are required in the planning and final review phases of the audit. They also may be used (but are not required) in substantive testing
For what purpose are analytical procedures used in the audit planning phase?
Analytical procedures are used in planning the audit to understand the client’s business and to identify ununsual transactions and events, amounts, ratios, or trends that might represent specific risks relevant to the audit
What are the objectives of internal control?
- To promote efficiency and effectiveness of operations
- To ensure reliable financial reporting
- To encourage compliance with applicable laws and regulations
What are some inherent limitations of internal control?
ERRORS may be made in the performance of control procedures.
COLLUSION provides a way to bypass controls related to segregation of duties
Top managment can OVERRIDE internal controls
Segregation of duties may be difficult to achieve in a SMALLER ENTITY.
What are the 5 components of internal control?
CRIME
C - CONTROL environment
R - RISK assessment
I - INFORMATION and communication systems
M - MONITORING
E - EXISTING control activities
Why is the control environment particularly important to internal control?
The control environment sets the tone of an organzation, influencing the control consciousness of its employees, and providing the foundation for the other components of internal control.
What factors are included in the control environment?
- Communication and enforcement of integrity and ethical values
- Management’s commitment to competence
- Participation of those charge with governance
- Managament’s philosophy and operating style
- Organizational structure
- Assignment of authority, responsibility, and accountability
- Human resouce policies and practices
Describe the “risk assessment’ component of internal control
Risk assessment is an entity’s identification and analysis of risks to achievement of its objectives with respect to financial reporting. Risk assessment involves identification, analysis, and management of business risk relevant to the preparation of F/S.
What functions are served by an entity’s information system with respect to financial reporting?
- Identify and record all valid transactions
- Describe transactions in a timely manner and in sufficient detail to allow proper classification
- Measure and record the proper monetary value of transactions
- Determine and ensure proper recording of transactions and events in the appropriate time period
- Present transactions and related disclosures properly in the F/S
What functions should an auditor understand about an entity’s communication system with respect to financial reporting?
- The methods used to communicate roles, responsibilities, and significant matters related to financial reporting
- Communications between management and those charged with governance, and between management and external parties
What activities may be considered part of the monitoring component of internal control?
The montoring process may include”
- Managment and supervisionary activities
- Separate internal control evaluations
- The internal audit function
- Evaluation of communications from external parties
Name some control activities that are revelant to an audit
PAID TIPS
P - PRENUMBERING of documents
A - AUTHORIZATION of transactions
I - INDEPENDENT checks to maintain asset accountability
D - DOCUMENTATION
T - TIMELY and appropriate performance reviews
I - INFORMATION processing general and application controls
P - PHYSICAL controls for safeguarding assets
S - SEGREGATION of duties
What functions should be segregated?
Segregation of duties is your ARC to protect against a flood of troubles
AUTHORIZING transactions
RECORDING tranascations
Maintaining CUSTODY of the related assets
Why does an auditor obtain an understanding of the client’s internal control?
An auditor obtains an understanding of internal control to evaluate the design of controls and determine whether they have benn implemented, to assess the risk of material misstatement, and to design the nature, extent, and timing of further audit procedures.
When are a service organization’s services considered to be part of an entity’s information system?
A service organization’s services are considered to be part of an entity’s information system when those services affect the initiation, execution, processing, or reporting of the user company’s transactions.
What type of reports may a service auditor provide, and what is the difference in how the user auditor may use them?
The service auditor may provide a “Report on Management’s Description of the Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls (Type 2 Report)” or simply a “Report on Management’s Description of the Service Organization’s System and the Suitability of the Design of Controls (Type 1 Report).” The Type 2 Report may support a reduction in the assessed level of control risk whereas the Type 1 Report does not
What steps should the auditor take in designing the nature, extent, and timing of further audit procedures?
The auditor uses his or her understanding of the entity and environment, including internal control to:
- Identify types of potential material misstatements
- Consider the factors that affect the risk of material misstatements
- Design tests of controls, when appicable
- Design substantive procedures
What are the 3 ways in which an auditor should respond to assessed risk?
The auditor should responde to assessed risk in 3 ways:
- An overall response, to address risk at the FS level
- A response at the relevant assertion level
- A response to significant risks
What is a significant risk?
A significant risk is one that requires special audit consideration. The following factors may be indicative of a significant risk:
- Nonroutine, unusual, or complex transactions
- Business risks that may result in material misstatement
- Fraud risk
- Significant related party transactions
- Accounting estimates of other subjective measurements of financial information
- Accounting principles that are subject to different interpretations
What are the documentation requirements surrounding the auditor’s assessment of risk?
The auditor should document the:
- Discussion among the audit team
- Understanding of the entity and its environment, including its internal control
- Assessment of the risks of material misstatement
- Basis for the risk assessment
- Identified risks and related controls evaluated
What are the two approaches an auditor may use to responde to identified risks at the relevant assertion level?
Substantive approach - Only substantive testrs are used, either because there are no effective controls, or because it would not be efficient to test the operating effectiveness of controls
Combined approach - Tests of the operating effectiveness of control and tests of substantive procedures are both used.
When are tests of controls performed?
When the auditor’s risk assessment is based on the assumption that controls are operating effectively;
OR
When substantive procedures alone are insufficient, such as when there is a significant amount of electronic processing
How does the auditor’s assessment of the risk of material misstatement affect substantive procedures?
- The auditor’s determination that the risk of material misstatement is high necessitates a greater level of assurance from substantive procedures, which may be obtained by varying the nature, extent, or timing of such procedures
- The auditor’s determination that the risk of material misstatement is low allows a reduction in the assurance required from substantive procedures. This too may be accomplished by varying the nature, extent, or timing of such procedures
What are the documentation requirements surrounding the auditor’s response to assessed risk?
The auditor should document the:
- Overall response addressing assessed risk at the F/S level
- Nature, extent, and timing of further audit procedures
- Linkage of further audit procedures with assessed risk at the relevant assertion level
- Results of audit procedures
- Conclusions reached regarding the use of prior period evidence
Under PCAOB standards, what factors are relevant to the conclusion that sufficient appropriate evidence has been obtained?
- The significance of uncorrected misstatements and the likelihood of their having a material effect ont he F/S
- The results of audit procedures performed
- The auditor’s risk assessment
- The appropriateness of the evidence obtained