Chapter 7

Question 1

Mgmt’s Responsibility under 404 (The Four Specific Requirements)

Answer 1

Mgmt issues a report as of ICFR at the end of the year.

1) Accept Responsibility.
2) Evaluate effectiveness of ICFR.
3) Support with Evidence.
4) Prepare a written assessment of the findings.

Question 2

Auditor’s Responsibility under 404 and AS5

Answer 2

Issue a ICFR report as of end of the year and report of F/S fairness as of Dec. 31 (Two Reports here!)

1) Must use an integrated audit approach.
2) Level of comfort is the same level for both reports, “Reasonable Assurance”.
3) We do our report, and mgmt does theirs!

Question 3

ICFR Responsibilities: Overall Implementation and Reliability?

Answer 3

Overall Implementation: Rests with Board of Directors and Mgmt.
Reliability: CEO and CFO.

Question 4

Control Deficiency

Answer 4

Either Design/Operating or both.

Question 5

Design Deficiency

Answer 5

Where controls are missing or they are improperly designed. Has some fault that doesn’t make them effective.

Question 6

Operating Deficiency

Answer 6

Properly designed, but the person isn’t using it properly. Dont know how to do it, or the person is not adequately trained. Always a question of execution!

Question 7

Material Weakness

Answer 7

Deficiency in internal control that imposes a reasonable possibility that controls will not catch misstatements. Report in 10k, to mgmt, and audit committee.

Question 8

Significant Deficiency

Answer 8

Control deficiency or combination of these that are less severe than a material weakness but is relatively important to be communicated to mgmt, audit committee, and board.

Question 9

Minor Control Deficiency

Answer 9

Control deficiencies that are not significant at any level, “noise level”, should just be aware of them. Report verbally to mgmt.

Question 10

Likelihood

Answer 10

Possibility a misstatement could happen.

Items can be remote or reasonably possible or probable.

Question 11

Magnitude (POP-POP)

Answer 11

How big, how much, based on materiality.

Three levels: Material. Not material but significant. Not material or significant.

Question 12

Compensating Controls

Answer 12

A control that compensates for a lack of another control, that can mitigate or take away control deficiencies.
Controls that are further down the road.
Can change deficiencies level, from significant to minor.

Question 13

Mgmt’s Process for Assessing ICFR (Four Steps)

Answer 13

1) Identify financial reporting risks & related controls.
2) Consider locations.
3) Eval/Test to determine operating effectiveness.
4) Documentation.

Question 14

1. Identify financial reporting risks & related controls

Answer 14

Specific controls: reconciliation.

Entity level controls: extends over the entirety of the company.

Question 15

2. Consider Locations

Answer 15

If risk and materiality is low at a location, and has good entity level controls then just test for controls! If Vice versa, do test of controls and test for specifics.
Look at each location separately, helps you determine how much work you will have to do.

Question 16

3. Eval/Test to Determine Operating Effectiveness

Answer 16

High Risk and Direct Testing or Monitoring.

High Risk: Focus on risk: As risk increases, mgmt needs better or more information/testing needed.

Question 17

Direct Testing

Answer 17

Directly: IA, mgmt, cheaper to do testing themselves and they are familiar with own company. Cross training can happen so people know how to do work at all times. Client can hire third party, but auditor can not do this!

Question 18

On Going Monitoring

Answer 18

Controls and things mgmt has in place to make sure things are going well.

Question 19

Documentation

Answer 19

Document findings.

Question 20

Audit of ICFR (External Auditor): Integrated Audit (Three Key Points)

Answer 20

1) ICFR and F/S are planned and done together.
2) Done by the same firm at the same time.
3) Results or findings of ICFR audit have to be considered and used in F/S audit and vice versa.

Question 21

Audit of ICFR (External Auditor): The Five Big Steps

Answer 21

1. Planning.
2. Identify Controls to Test (Top-Down Approach).
3. Test Key Controls.
4. Evaluate control deficiencies identified.
5. Form Opinion/Conclusion.

Question 22

1. Planning

Answer 22

Understand what mgmt did and results, but do not opine on their work.
A) Assess Risk/Fraud.
B) Scaling audit.
C) Using work of others.

Question 23

1A) Assess Risk/Fraud

Answer 23

Think about significant and unusual transactions. Related party transactions. Areas that have high inherent risk. Controls that discourage mgmt from things they should not do.

Question 24

1B) Scaling Audit

Answer 24

Adjusting the audit based on size and complexity of the client.

Question 25

1C) Using the Work of Others

Answer 25

OK to use work done by IA, any outsiders that client has brought in.
Higher the risk/more significant the balance the less you’ll use clients work! You should do the work!

Question 26

2. Identify Controls to Test (Top Down Approach)

Answer 26

A) Identify entity level controls.
B) Identify significant accounts/disclosures/assertions.
C) Identify likely sources of misstatement.
D) Select Key Controls to test.

Question 27

2A) Identify Entity Level Controls

Answer 27

Control Environment and Period End reporting process.

Question 28

2B) Identify Significant Accounts/Disclosures/Assertions

Answer 28

Size, susceptibility to misstatement, volume, related party transactions.

Question 29

2C) Identify Likely Sources of Misstatement

Answer 29

Understand how transactions flow through the system. Where are weaknesses and how is mgmt overcoming them?
AS2 looks at classes of transactions; AS5 you are looking at the process of transactions.

Question 30

2D) Select Key Controls to Test

Answer 30

Only test “key” controls that are important to the auditor. Consider locations. Up to your judgement.
Consider these:
Preventive Control: designed to keep a problem from happening.
Detective Control: will catch something if it happens.

Question 31

3. Test Key Controls

Answer 31

Design and Operating effectiveness.
A) Nature, Timing, and Extent.
B) Use of PY knowledge in CY.
C) IT Benchmarking.

Question 32

3A) Nature

Answer 32

What type of testing will we do. Walkthrough, inspection, observation, inquiry or recalculation.

Question 33

3A) Timing

Answer 33

When are we going to test and do it! Must test controls throughout the year so we can conclude that they work throughout the year and as of Dec. 31. Have to roll forward work if done earlier in the year!

Question 34

3A) Extent

Answer 34

How much you do.
As risk/materiality goes up, the quantity/quality of evidence must go up!
More you test it, greater the comfort you get.

Question 35

3B) Use of PY Knowledge in CY

Answer 35

Can use the knowledge of PY to help plan nature, timing, extent of this year, but you CAN NOT skip testing!

Question 36

3C) IT Benchmarking

Answer 36

Every year you have to test general controls.
If application controls haven’t changed or are still working effectively, you can skip the testing of application controls in next following years after first year!
Only thing you can skip in SOX.

Question 37

4. Evaluate Control Deficiencies Identified

Answer 37

Consider only if a misstatement COULD occur, and be detected. Consider Magnitude (POP-POP) and Likelihood and compensating controls.

Question 38

5. Form Opinion/Conclusion

Answer 38

A) Remediation. B) Get Reps from Mgmt.

Question 39

5A) Remediation

Answer 39

You have identified a material weakness, mgmt can come in and fix the problem in a SUFFICIENT time, then they can test it by the end of year, and then the auditors can test by the end of the year! If done by the end of year, it goes away! Need to be tested by both mgmt and auditor by YE.

Question 40

5B) Get Reps from Mgmt

Answer 40

Signed by CEO/CFO. Representation letter relating to ICFR Audit (Two usually for public company). If you do not get it you either disclaim or withdraw!

Question 41

Auditors Opinion (Can be separate or combined with F/S opinion) (Three Choices)

Answer 41

Unqualified. Adverse. Disclaimer.

Question 42

Unqualified Opinion

Answer 42

Can have minor effect on scope or control deficiency and still get an unqualified opinion. NO material weakness, but may have a significant deficiency.

Question 43

Adverse Opinion

Answer 43

One or more material weakness, you have to give an adverse opinion!

Question 44

Adverse Opinion on Controls, but Unqualified on F/S?

Answer 44

Could have MW, but has not happened yet. You can test around it and consider MW when the audit was planned. Still did enough testing around the MW to still see them fairly presented.
Always want to tell reader, that the MW did not impact the audit report!

Question 45

Disclaimer

Answer 45

More than minor effect on the scope (Rare for ICFR Audit). Not able to apply opinion on controls for some reason beyond control of mgmt or the auditor.