Exam 2 (5-7) Flashcards
Financial statement assertions relevancy
Without regard for controls, have a reasonable possibility of containing a material misstatement
Three types of relevant financial statement assertions
- About classes of transactions and events
- Assertions about account balances
- Assertions about presentation and disclosures
Existence or occurrence
Assets, liabilities, and equity interests exist and recorded transactions have occurred
Rights and obligations
The company holds rights to the assets, and liabilities are the obligation of the company
Completeness
All assets, liabilities, equity interest, and transactions that should have been recorded are recorded
Cutoff
Transactions and events have been recorded in the correct accounting period
Valuation, allocation and accuracy
All transactions, assets, liabilities and equity interests are included in the financial statements at proper amounts
Presentation and disclosure
Accounts are described and classified in accordance with generally accepted accounting principles, and financial statement disclosures are complete, appropriate and clearly expressed
Audit risk =
Risk of material misstatement x risk that auditors fail to detect the misstatement
Risk of material misstatement =
Inherent risk x control risk
Inherent risk
Risk of a material misstatement occurring in an assertion assuming no related internal controls (without regard for them)
Control risk
Risk that a material misstatement in an assertion will not be prevented or detected on a timely basis by the company’s internal control
Detection risk
Risk that the auditors’ procedures will lead them to conclude that a material misstatement does not exist in an assertion when in fact such misstatement does exist
Assertions with high inherent risk
- Difficult to audit transactions or balances
- Complex calculations
- Difficult accounting issues
- Significant judgment by management
- Valuations that vary significantly based on economic factors
Three types of transactions
Routine, no routine, estimated
Routine transaction
Recurring financial statement activities recorded in the accounting records in the normal course of business, lower inherent risk
Nonroutine transaction
Involve activities that only occur periodically such as the taking of physical inventories, high inherent risk
Estimation transactions
Activities that create accounting estimates, higher inherent risk
Appropriate audit evidence must be
- Relevant
- Reliable
Audit evidence is more reliable when
- Obtained from knowledgeable independent sources outside the company rather than nonindependent sources
- Generated internally through a system of effective controls rather than ineffective controls
- Obtained directly by the auditor rather than indirectly or by inference
- Documentary in form rather than oral
- Provided by original documents rather than copies
7 types of audit evidence and examples
- Accounting info system, JEs/ledgers
- Documentary evidence, checks/invoices
- Third-party reps, confirms/lawyer letters
- Physical evidence, physical inventory
- Computations, recompute EPS
- Data interrelationships, headcount + sales
- Client representations, client rep letter re SOX
Risk assessment procedures
To obtain an understanding of the client and it’s environment, including it’s internal control to assess the risk of material misstatement
Compliance tests (tests of controls)
When appropriate, to test the operating effectiveness of controls in preventing material misstatements
Substantive procedures
To detect material misstatements at relevant assertion level, include analytical procedures and tests of details of account balances, transactions and disclosures
One may change the scope of audit procedures by changing
- Nature (type and form)
- Extent (quantity of evidence contained)
- Timing (when performed)
Steps involved in analytical procedures
- Develop expectation of account or ratio balance
- Determine amount of difference that can be accepted without investigation
- Compare the company’s account or ratio with the expectation
- Investigate and evaluate significant differences
Four approaches to ratio analysis
- Horizontal
- Cross sectional
- Vertical
- Other methods
Horizontal analysis
Review ratios over time
Cross sectional analysis
Analyze ratios of similar forms at a point in time
Vertical analysis
Analyze relationships within a period
Vertical analysis
Analyze relationships within a period, “common size” statements prepared
Data analytics
The process of using related and unrelated data sets to provide insights into decisions
Fair value
The price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants
Three auditing approaches
- Review and test management’s processes
- Independently develop an estimate
- Review subsequent events
Primary functions of audit documentation
Support the auditors’ compliance with auditing standards, support the auditors’ opinion
Secondary functions
Assist continuing and new audit team members in planning and performing the audit, serves as a record of matters of continuing audit interest, assists in supervision and review of the audit, demonstrates the accountability of team members, assists internal reviewers, external peer reviewers, PCAOB inspectors, and successor auditors in performing their roles
Audit documentation should be sufficient to
- Enable an experienced auditor to understand the work performed and the significant conclusions reached
- Identify who performed and reviewed the work
- Show that the accounting agrees or reconciles to the financial statements
9 types of working papers
- Audit administrative
- Working trial balance
- Lead schedules
- Adjusting journal entries and reclassification entries
- Supporting schedules
- Analysis of a ledger account
- Reconciliations
- Computational
- Corroborating documents
2 types of working files
- Current files
- Permanent files
Current files
Current year working papers, index and cross-referencing
Permanent files
Items of continuing audit interest
6 steps of audit process
- Plan the audit
- Obtain an understanding of the client and it’s environment, including internal control
- Assess the risks of material misstatement and design further audit procedures
- Perform further audit procedures
- Complete the audit
- Form an opinion and issue the audit report
Plan the audit
Establish an understanding with the client through an engagement letter, determine firm meets independence requirements, no management integrity issues, client understands terms
Items in engagement letters
- Name of the entity
- Management responsibilities
- Auditor responsibilities
Obtain and understanding of the client and it’s environment
Perform risk assessment procedures
Two types fraud risks
- Fraudulent financial reporting (management fraud)
- Misappropriation of assets (defalcations)
Audit trail
Evidence that links source documents journal entries and ledger entries
5 examples of internal control
1) time clock
2) payroll register
3) bank reconciliation
4) employee profile setup - HRIS
5) payroll service
internal control
a process, effected by the entity’s board of directors, management, and other personnel designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives on:
1) effectiveness and efficiency of operations
2) Reliability of financial reporting
3) Compliance with applicable laws & regulations
Foreign Corrupt Practices Act
1) FCPA
2) Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business
3) requires an effective system of internal control
4) makes illegal payment of bribes to foreign officials
Federal Sentencing Guidelines
1) sets standards for the sentencing of individuals and corporations for the commission of a felony
2) requires companies to have elements of an effective compliance program to help mitigate the security of the sentencing
7 elements of a compliance program
1) implementing written policies, procedures and standards of conduct
2) designating a compliance officer and compliance committee
3) conducting effective training and education
4) developing effective lines of communication
5) conducting internal monitoring and auditing
6) enforcing standards through well-publicized disciplinary guidelines
7) responding promptly to detected offenses and undertaking corrective action
preventative controls over financial reporting
aimed at avoiding the occurrence of misstatements in the financial statements
2 examples of preventative controls
1) segregation of duties
2) access to computer center
2 examples of detective controls
1) monthly bank reconciliations
2) account reconciliations
detective controls over financial reporting
designed to discover misstatements after they have occurred
corrective controls over financial reporting
needed to remedy the situation uncovered by detective controls
example of a corrective control
backups of master file
3 controls overlap
1) complementary
2) redundant
3) compensating
complementary controls overlap
function together
redundant controls overlap
address same assertion or control objective
compensating controls overlap
reduces risk existing weakness will result in misstatement
2 examples of complementary controls overlap
1) cash approvals
2) bank recs
example of redundant controls overlap
computer & program login
example of compensating controls overlap
post transaction review: IT master file @ WAM
5 components of internal control (from the COSO)
1) the control environment
2) risk assessment
3) control activities
4) the accounting information and communication system
5) monitoring activities
7 key factors of the control environment
1) integrity and ethical values
2) commitment to competence
3) board of directors or audit committee
4) management philosophy and operating style
5) organizational structure
6) human resource policies and practices
7) assignment of authority and responsibility
risk
the possibility that an event will occur and adversely effect the achievement of objectives
risk assessment
involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives
6 factors indicative of increased financial reporting risk
1) changes in the regulatory or operating environment
2) changes in personnel
3) implementation of a new or modified information system
4) rapid growth of the organization
5) changes in technology affecting production processes or information systems
6) introduction of new line of business, products or processes
control activities
the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out
4 key factors of control activities
1) annual performance reviews of personnel
2) information processing
3) physical controls
4) segregation of duties
annual performance reviews of personnel
assure competency of workforce
2 activities under information processing
1) general control activities
2) application control activities
general control activities
preventative and detective
application control activities
SOX critical IT systems (systems that interface to financial data), logical controls (passwords, two factor authentication)
segregation of duties
segregate authorization, recording and custody of assets
accounting information system
The means by which financial information is communicated internally to employees and externally to shareholders and other interested parties. The integrity of this system is critical in order to assure completeness and accuracy of the reported information.
5 key factors of the accounting information system
1) Identify and record valid transactions
2) Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions
3) Measure the value of transactions appropriately
4) Determine the time period in which the transactions occurred to permit recording in the proper period
5) Present properly the transactions and related disclosures in the financial statements
Monitoring
Ongoing evaluations to ascertain whether each of the five components of internal control is present and functioning. Findings are communicated to management and the board of directors as appropriate
2 key factors of monitoring
1) ongoing monitoring activities
2) separate evaluations
ongoing monitoring activities
regularly performed supervisory and management activities
example of ongoing monitoring activities
continuous monitoring of customer complaints
separate evaluations
performed on non-routine basis
separate evaluations example
periodic audits by internal audit
4 limitations of internal control
1) Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc.
2) Controls that depend on the segregation of duties may be circumvented by collusion
3) Management may override the structure
4) Compliance may deteriorate over time
enterprise risk management (erm)
COSO issued a new framework that compliments the COSO Internal Control model. Goes beyond internal control to focus on how organizations can effectively manage risks and opportunities.
The new “helix” or “DNA model” approach replaces the cube design and tries to illustrate how this needs to be interwoven into business strategy development much like DNA is embedded in human cells
5 Lines of Defense Implicit in COSO Internal Control Framework
1) Tone of the organization
2) Business unit management and process owners
3) Independent risk management and compliance functions
4) Internal assurance providers
5) Board risk oversight and executive management
5 control environment warning signs
1) Significant turnover of key executives; inappropriate performance pressures or compensation structure that encourages improper behavior; overly dominate chief executive who “kills the messenger” for delivering bad news
2) Middle and functional (grass roots) managers are not aligned to the company’s core values, mission or strategy
3) Risk is an afterthought to the business strategy
4) No clear escalation policy exists to bring items of concern to the appropriate levels of management or to the board of directors
5) Company has a high tolerance for risk and conflicts of interest
6 steps of an audit
- Plan the audit
- Obtain an understanding of the client and its environment, including internal control
- Assess the risks of material misstatement and design further audit procedures
- Perform further audit procedures
- Complete the audit
- Form an opinion and issue the audit report
Which steps of an audit relate most directly to the role of internal control in financial statement audits
steps 2-4
The understanding of internal control is used to help the auditor to (3)
1) Identify types of potential misstatements
2) Consider factors that affect the risks of material misstatement.
3) Design tests of controls (when applicable) and substantive procedures
4 procedures to obtain understanding
1) Inquiring of entity personnel – process “Walk-Through”
2) Observing the application of specific controls
3) Inspecting documents and reports
4) Tracing transactions through the information system relevant to financial reporting
4 ways to document the understanding of internal control
1) questionnaires
2) written narratives
3) flowcharts
4) walk-through
questionnaires
typically standardized by firm
written narratives
memos that describe flow of transactions
flowcharts
aka process map
walk-through
trace one or two transactions through cycle
4 general approaches to assess the risk of material misstatement
1) Identify risks while obtaining an understanding of the client and its environment, including its internal control
2) Relate the identified risks to what can go wrong at the relevant assertion level
3) Consider whether the risks are of a magnitude that could result in a material misstatement
4) Consider the likelihood that the risks could result in a material misstatement
3 examples of routine transactions
1) revenue
2) purchases
3) cash receipts & disbursements
2 examples of non-routine transactions
1) counting inventory
2) calculating depreciation expense
example of estimation transaction
determining the allowance for doubtful accounts
what type of transaction typically has the strongest controls
routine
4 responses to high risks
1) Assigning more experience staff or those with specialized skills
2) Providing more supervision and emphasizing the need to maintain professional skepticism
3) Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed
4) Increasing the overall scope of audit procedures, including the nature, timing or extent
2 approaches to perform further audit procedures and test controls
1) Identify controls likely to prevent or detect material misstatements
2) Perform tests of controls to determine whether they are operating effectively
3 things tests of controls address
1) How controls were applied
2) The consistency with which controls were applied
3) By whom or by what means (e.g., electronically) the controls were applied
4 things tests of controls include
1) Inquiries of appropriate client personnel
2) Inspection of documents and reports
3) Observation of the application of controls
4) Re-performance of the controls
What are the results of the tests of controls used to determine
the nature, extent, and timing (NET) of substantive procedures
audit decision aids
Checklist, standard form or computer program that helps auditors make a decision by ensuring that they have all relevant information or by assisting them in combining the information
Auditors of public companies must report on (2)
1) Financial statements
2) Internal control over financial reporting (ICFR)
404(a) Sarbanes Oxley
1) requires annual report filed with SEC to include an internal control report
2) Management acknowledges responsibility for establishing and maintaining adequate internal control
3) Provides assessment of internal control effectiveness at end of fiscal year
404(b) Sarbanes Oxley
requires CPA firm to audit internal control and express an opinion on effectiveness of internal control (required for companies with a capitalization in excess of $75M)
Control deficiency
Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis
Material weakness
1) Reasonable possibility that a material misstatement will not be prevented or detected; audit report modification required
2) Reported to the AC and in Financial Statements
Significant deficiency
1) Less severe than material weakness yet important enough to merit attention; no audit report modification
2) Reported to the Audit Committee (AC) of Board
3 levels of severity of control deficiencies
1) Material weakness
2) Significant deficiency
3) Less than a significant deficiency
What is the only risk that can be controlled by the auditor?
detection risk
