Final Exam (8-10, 17) Flashcards
audit report
Providing an independent and expert opinion on the fairness of financial statements through an audit is the most frequent attestation service
When performing an audit under GAAS, the auditors obtain __________ that the statements are in conformity with GAAP
reasonable assurance
Reports on the financial statements ordinarily include an opinion that is on both the
financial statements themselves (BICs) and financial statement disclosures
what is considered an integral part of he financial statements
notes to the financial statements
auditors’ standard report - public clients must
1) Includes the words “Registered” and “Independent” in the title “Report of….”.
2) Must be addressed to shareholders and board of directors (additional parties are allowable).
3) References auditing standards of the PCAOB.
4) Provides a discussion of auditor and management responsibilities.
5) Includes a paragraph indicating that the auditors have also issued a report on the client’s internal control over financial reporting, or is a combined report on both the financial statements and internal control
6) Includes a Critical Audit Matters Section. (NEW requirement starting in 2019)
7) Includes statement on year audit firm began serving the client.
8) Signed with name of CPA firm not individual partner (but movement to have the partner’s name on the letter)
9) Includes the City of the office with responsibility for the audit
10) Dated no earlier than the date on which the auditors obtained sufficient appropriate audit evidence to support their opinion (typically the date used is the filing date of the 10K with the SEC)
auditors’ standard report - nonpublic clients
1) Title that includes the word independent
2) Ordinarily addressed to the company itself, the shareholders, the audit committee, and/or the board of directors
3) Signed with name of CPA firm not individual partner unless the firm is a sole practitioner
4) Dated no earlier than the date on which the auditors obtained sufficient appropriate audit evidence to support their opinion
PCAOB Critical Audit Matter includes
1) Identification of the CAM
2) Description of the principal considerations that led the auditor to determine that the matter was a CAM
3) Description of how the CAM was addressed in the audit
4) Reference to the relevant financial statement accounts or disclosures
condition required for issuance of unmodified opinion
The auditors are able to obtain sufficient appropriate audit evidence to obtain reasonable assurance so as to be able to conclude that the financial statements as a whole are free from material misstatements
Unmodified opinion - standard report
This report may be issued only when the auditors have obtained sufficient appropriate audit evidence to conclude the financial statements are not misstated and there is no need to alter the report for other situations
Unmodified opinion - with an emphasis of matter paragraph
To emphasize a matter appropriately presented in the financial statements (e.g., a change in accounting principle)
Unmodified opinion - with an other matter paragraph
To emphasize a matter other than those presented or disclosed in the financial statements (e.g., other information in documents containing audited financial statements) – special purpose example
Unmodified opinion on group financial statements
When two or more CPA firms are involved in an audit and the group auditor (firm that does most of the work) does not wish to take responsibility for the work of the component auditors
Qualified opinion
states that the financial statements are presented fairly in conformity with generally accepted accounting principles “except for” the effects of some matter
Adverse opinion
states that the financial statements are not presented fairly in conformity with generally accepted accounting principles
Disclaimer of opinion
means that due to a significant scope limitation, the auditors were unable to form an opinion or did not form an opinion on the financial statements
Going concern effect on audit report if the matter is properly presented
unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph (may also lead to disclaimer of opinion)
Consistency effect on audit report if the matter is properly presented
unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph
Auditor discretionary effect on audit report if the matter is properly presented
unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph
Going concern effect on audit report if the matter is improperly presented in financial statements
a departure from GAAP is involved and the auditors modify the opinion paragraph to either a qualified or adverse opinion and add a basis for modification paragraph preceding the opinion paragraph
Group audits effect on audit report if the matter is properly presented
Unmodified opinion. The component auditors are referred to when they do not take the responsibility for the component auditors’ work. If they take responsibility, no modification of the audit report is necessary
Group audits effect on audit report if the matter is improperly presented in financial statements
Not applicable because it is an auditor reporting concern
Before opinion paragraph
basis for modification (qualified, adverse, disclaimer) paragraphs, for a modified opinion, such as a qualified or disclaimer, we want to prepare the reader for what is coming and provide context for our opinion, the emphasis of matter is BEFORE the opinion paragraph
After opinion paragraph - unqualified / unmodified
emphasis of matter and other matter paragraphs, for unmodified, the emphasis of matter is typically AFTER the opinion paragraph, in the case of an unmodified or unqualified opinion, as auditors we want to FIRST tell the reader what our conclusion is and THEN tell them so extra information that entered into our decision-making process
Disclaimer of opinion
1) Auditor has no opinion
2) Issued whenever unable to form an opinion as to fairness of financial statements
3) Circumstances resulting in a disclaimer are those in which the possible misstatements are material and pervasive
4) Multiple uncertainties may also lead to a disclaimer
5) Not an alternative to adverse opinion
Requirement for going concern
must evaluate
5 conditions indicating a going concern
1) Negative cash flows from operations
2) Defaults on loan agreements
3) Adverse financial ratios
4) Work stoppages
5) Legal proceedings
substantial doubt as to going concern status
Ordinarily an unmodified opinion with an emphasis of matter paragraph issued. Alternatively, a disclaimer of opinion may be issued
pervasive misstatements
1) Not confined to specific accounts
2) If confined, they represent a substantial proportion of the financial statements
3) In relation to disclosures, they are fundamental to users’ understanding of the financial statements
adverse opinion
1) Financial statements do not present fairly the financial position, results of operations, and cash flows of client in conformity with GAAP
2) Material and pervasive departures from GAAP
3) Auditor believes departure causes financial statements taken as a whole to be misleading
reporting on comparative financial statements
1) Report should cover current year as well as prior period audited by their firm
2) Can express different opinions on different years
different opinions on different statements
It is acceptable to express an unqualified opinion on one statement while expressing a qualified or adverse on the others
8-K report
major developments that investors should know about are described in the 10-K or 10-Q, but if those developments don’t make the two filings in time, they are presented here. Addresses specific events and provides further detail and exhibits
events that lead to the filing of the 8-K
bankruptcy or receivership, material impairments, completion of acquisition or disposition of assets, departures or appointments of executives
10-Q report
a truncated version of the 10-K, provided within 45 days of the end of the first three quarters of the company’s fiscal year, details company’s latest developments and provides a preview of the direction it plans to take
major differences between 10-K and 10-Q
10-Q has unaudited financial statements and less detailed reports
10-K
provides investors with a comprehensive analysis of the company, contains more information than an annual report, more detailed financial statements, submit within 90 days of the end of the fiscal year,
Sections of the 10-K
1) Business summary that describes the company’s operations, business segments, history, real estate, marketing, research and development, competition and employees
2) The management discussion and analysis that provides a good explanation of the company’s operations and financial outlook
3) Financial statements
4) Management team and legal proceedings
What does the filing time of the 10-Q and 10-K depend on?
market cap
What is the the primary resource for investors to determine if they want to invest in that business?
reports to the SEC
less expensive software
Electronic checkbooks (e.g., Quicken: checkbook only)
moderate system
Basic general ledger system (e.g., QuickBooks or Peachtree)
large and expensive
ERP systems (e.g., SAP, Oracle, JD Edwards)
National Institute of Standards and Technology (NIST)
1) Federal agency within the US Department of Commerce
2)Published a comprehensive cybersecurity framework (CSF) in response to President Obama’s executive order
3) Adoption is voluntary
4) HOWEVER, many companies have adopted this standard to govern their IT security AND most audit firms have adopted this as the standard by which they will measure their clients IT security efforts
5) Designed to not only to keep the cyber criminals out of your data, but to assure nothing happens internally to make your computing environment unavailable or subject to processing errors
What are the 5 governing controls of the NIST Cyber Security Framework?
Identify
Protect
Detect
Respond
Recover
Identify
Understanding by management on how to manage cybersecurity risk to systems, assets, data, and capabilities
1) Asset Management
2) Business Environment
3) Governance
4) Risk Assessment
5) Risk Management Strategy
Protect
Standards to ensure delivery of critical infrastructure services
1) Access Control
2) Awareness and Training
3) Data Security
4) Info Protection Processes and Procedures
5) Maintenance
6) Protective Technology
Detect
Identify the occurrence of a cybersecurity event
1) Anomalies and Events
2) Security Continuous Monitoring
3) Detection Processes
Respond
Action regarding a detected cybersecurity event
1) Response Planning
2) Communications
3) Analysis
4) Mitigation
5) Improvements
Recover
Maintain plans for resilience and restore any capabilities or services
1) Recovery Planning
2) Improvements
3) Communications
Top 20 IT Security Controls
1) Inventory of Authorized Devices
2) Inventory of Authorized Software
3) Secure Configurations for mobile devices, servers, laptops, etc
4) Continuous Vulnerability Assessments
5) Controlled Use of Administrator Privileges
6) Monitoring of Server Audit Logs
7) Email Protection (Phishing) and web site restrictions
8) Control the Spread of Malware
9) Management of Network Ports
10) Effective Backup and Recovery Processes
11) Configure Routers and Firewalls
12) Keep Bad Guys Out of your Network and Alert for Intrusions (IDS, SIEM)
13) Use Data Loss Prevention Tools
14) “Need-to-Know” Only Access
15) Secure Wireless Access Points
16) Actively Manage User Accounts
17) Develop Plan to Assess/Remediate Gaps in IT Security
18) Application Software Security
19) Cyber Incident Response & Management
20) Penetration Tests & Simulations
IT systems usually consist of (2)
hardware and software
hardware
Digital computer and peripheral equipment
software
Various programs and routines for operating the system
two types of software
systems and application
systems software
Programs that control and coordinate hardware components and provide support to application software
Operating system (Examples: Unix, Windows)
application software
Programs designed to perform a specific data processing task
Written in programming language (Example: Java)
input/output devices
1) card readers
2) terminals
3) electronic cash registers
4) optical scanners
5) magnetic tape drives
6) magnetic disk drives
7) optical compact disks
central processing unit (CPU)
1) Arithmetic unit
2) Control unit
3) Primary storage
auxiliary storage
1) magnetic disks
2) magnetic drums
3) magnetic tapes
4) optical compact disks
5) flashdrives
6) cloud storage
system characteristics
Batch processing
Online capabilities
Database storage
IT networks
End user computing
batch processing
Input data gathered and processed periodically in groups
Often more efficient than other types of systems but does not provide up-to-minute information
example of batch processing
Accumulate all of a day’s sales transactions and process them as a batch at end of day
Weekly moving students in or out of canvas sections
two types of online capabilities
online transaction processing (OLTP) and online analytical processing (OLAP)
online transaction processing (OLTP)
Individual transactions entered from remote locations
Online real time (Example: Bank balance at ATM)
online analytical processing (OLAP)
Enables user to query a system for analysis
Example: Data warehouse, decision support systems, expert systems (SW: Expert Choice)
database system
allows users to access same integrated database file
Eliminates data redundancy
Creates need for data administrator for security against improper access
Commonly used term “Data Warehouse”
networks
Computers linked together through telecommunication links that enable computers to communicate information back and forth
WAN, LAN
Internet, intranet, extranet, VPN, Cloud computing, …
electronic commerce
Involves electronic processing and transmission of data between customer and client
Electronic Data Interchange (EDI)
Soon arriving on the scene – Block Chain Technology
end user computing
1) User departments (such as the Accounting Department) are responsible for the development and execution of certain IT applications (mostly on PCs)
Involves a decentralized processing system
2) IT department generally not involved
3) Controls needed to prevent unauthorized access and unauthorized modifications
4) Examples: Excel – the “IT solution” of choice for many businesses (large and small). Cloud-based solutions that allow company data to be easily processed with just the use of a provided credit card. Various “off-the-shelf” systems such as Access, Tableau, and UiPath (Robotic Process Automation) that allow the user to create their own “system” for analyzing data and potentially using that data to book accounting entries. HIGH FOCUS AREA for auditors due to risk
internal control in IT
Separation of duties
Clearly defined responsibilities
Augmented by controls written into computer programs
*** Key is preserving data integrity
audit trail impact
Can affect audit procedures
Consulting auditors during design stage of IT-based system helps ultimate auditability
computer-based fraud
History shows the person responsible for frauds in many situations set up the system and controlled its modifications
Segregation of duties – KEY!
Programming separate from controlling data entry
Programming separate from the “move to production” of software changes
Business unit sign-off/approval of all changes/updates
Computer operator from custody or detailed knowledge of programs
If segregation not possible need:
Compensating controls like batch totals
Organizational controls not effective in mitigating collusion
if segregation is not possible what is needed
Compensating controls like batch totals
general control activities
Access to programs and data
Developing new programs and systems
Changing existing programs and systems
IT operations controls
application control activities
programmed (automated) control activities, manual follow-up activities
programmed (automated) control activities
input validation checks, batch controls, processing controls
input validation checks
Limit test (predefined upper and lower limit)
Validity test (data entered compared to master data)
Allowed character test (numeric or alpha or combo)
Missing data test (are all required fields entered)
Self-checking number (last digit in account # is mathematical calc of preceding numbers)