Final Exam (8-10, 17) Flashcards

1
Q

audit report

A

Providing an independent and expert opinion on the fairness of financial statements through an audit is the most frequent attestation service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When performing an audit under GAAS, the auditors obtain __________ that the statements are in conformity with GAAP

A

reasonable assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Reports on the financial statements ordinarily include an opinion that is on both the

A

financial statements themselves (BICs) and financial statement disclosures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what is considered an integral part of he financial statements

A

notes to the financial statements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

auditors’ standard report - public clients must

A

1) Includes the words “Registered” and “Independent” in the title “Report of….”.
2) Must be addressed to shareholders and board of directors (additional parties are allowable).
3) References auditing standards of the PCAOB.
4) Provides a discussion of auditor and management responsibilities.
5) Includes a paragraph indicating that the auditors have also issued a report on the client’s internal control over financial reporting, or is a combined report on both the financial statements and internal control
6) Includes a Critical Audit Matters Section. (NEW requirement starting in 2019)
7) Includes statement on year audit firm began serving the client.
8) Signed with name of CPA firm not individual partner (but movement to have the partner’s name on the letter)
9) Includes the City of the office with responsibility for the audit
10) Dated no earlier than the date on which the auditors obtained sufficient appropriate audit evidence to support their opinion (typically the date used is the filing date of the 10K with the SEC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

auditors’ standard report - nonpublic clients

A

1) Title that includes the word independent
2) Ordinarily addressed to the company itself, the shareholders, the audit committee, and/or the board of directors
3) Signed with name of CPA firm not individual partner unless the firm is a sole practitioner
4) Dated no earlier than the date on which the auditors obtained sufficient appropriate audit evidence to support their opinion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

PCAOB Critical Audit Matter includes

A

1) Identification of the CAM
2) Description of the principal considerations that led the auditor to determine that the matter was a CAM
3) Description of how the CAM was addressed in the audit
4) Reference to the relevant financial statement accounts or disclosures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

condition required for issuance of unmodified opinion

A

The auditors are able to obtain sufficient appropriate audit evidence to obtain reasonable assurance so as to be able to conclude that the financial statements as a whole are free from material misstatements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Unmodified opinion - standard report

A

This report may be issued only when the auditors have obtained sufficient appropriate audit evidence to conclude the financial statements are not misstated and there is no need to alter the report for other situations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Unmodified opinion - with an emphasis of matter paragraph

A

To emphasize a matter appropriately presented in the financial statements (e.g., a change in accounting principle)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Unmodified opinion - with an other matter paragraph

A

To emphasize a matter other than those presented or disclosed in the financial statements (e.g., other information in documents containing audited financial statements) – special purpose example

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Unmodified opinion on group financial statements

A

When two or more CPA firms are involved in an audit and the group auditor (firm that does most of the work) does not wish to take responsibility for the work of the component auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Qualified opinion

A

states that the financial statements are presented fairly in conformity with generally accepted accounting principles “except for” the effects of some matter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Adverse opinion

A

states that the financial statements are not presented fairly in conformity with generally accepted accounting principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Disclaimer of opinion

A

means that due to a significant scope limitation, the auditors were unable to form an opinion or did not form an opinion on the financial statements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Going concern effect on audit report if the matter is properly presented

A

unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph (may also lead to disclaimer of opinion)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Consistency effect on audit report if the matter is properly presented

A

unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Auditor discretionary effect on audit report if the matter is properly presented

A

unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Going concern effect on audit report if the matter is improperly presented in financial statements

A

a departure from GAAP is involved and the auditors modify the opinion paragraph to either a qualified or adverse opinion and add a basis for modification paragraph preceding the opinion paragraph

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Group audits effect on audit report if the matter is properly presented

A

Unmodified opinion. The component auditors are referred to when they do not take the responsibility for the component auditors’ work. If they take responsibility, no modification of the audit report is necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Group audits effect on audit report if the matter is improperly presented in financial statements

A

Not applicable because it is an auditor reporting concern

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Before opinion paragraph

A

basis for modification (qualified, adverse, disclaimer) paragraphs, for a modified opinion, such as a qualified or disclaimer, we want to prepare the reader for what is coming and provide context for our opinion, the emphasis of matter is BEFORE the opinion paragraph

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

After opinion paragraph - unqualified / unmodified

A

emphasis of matter and other matter paragraphs, for unmodified, the emphasis of matter is typically AFTER the opinion paragraph, in the case of an unmodified or unqualified opinion, as auditors we want to FIRST tell the reader what our conclusion is and THEN tell them so extra information that entered into our decision-making process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Disclaimer of opinion

A

1) Auditor has no opinion
2) Issued whenever unable to form an opinion as to fairness of financial statements
3) Circumstances resulting in a disclaimer are those in which the possible misstatements are material and pervasive
4) Multiple uncertainties may also lead to a disclaimer
5) Not an alternative to adverse opinion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Requirement for going concern

A

must evaluate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

5 conditions indicating a going concern

A

1) Negative cash flows from operations
2) Defaults on loan agreements
3) Adverse financial ratios
4) Work stoppages
5) Legal proceedings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

substantial doubt as to going concern status

A

Ordinarily an unmodified opinion with an emphasis of matter paragraph issued. Alternatively, a disclaimer of opinion may be issued

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

pervasive misstatements

A

1) Not confined to specific accounts
2) If confined, they represent a substantial proportion of the financial statements
3) In relation to disclosures, they are fundamental to users’ understanding of the financial statements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

adverse opinion

A

1) Financial statements do not present fairly the financial position, results of operations, and cash flows of client in conformity with GAAP
2) Material and pervasive departures from GAAP
3) Auditor believes departure causes financial statements taken as a whole to be misleading

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

reporting on comparative financial statements

A

1) Report should cover current year as well as prior period audited by their firm
2) Can express different opinions on different years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

different opinions on different statements

A

It is acceptable to express an unqualified opinion on one statement while expressing a qualified or adverse on the others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

8-K report

A

major developments that investors should know about are described in the 10-K or 10-Q, but if those developments don’t make the two filings in time, they are presented here. Addresses specific events and provides further detail and exhibits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

events that lead to the filing of the 8-K

A

bankruptcy or receivership, material impairments, completion of acquisition or disposition of assets, departures or appointments of executives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

10-Q report

A

a truncated version of the 10-K, provided within 45 days of the end of the first three quarters of the company’s fiscal year, details company’s latest developments and provides a preview of the direction it plans to take

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

major differences between 10-K and 10-Q

A

10-Q has unaudited financial statements and less detailed reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

10-K

A

provides investors with a comprehensive analysis of the company, contains more information than an annual report, more detailed financial statements, submit within 90 days of the end of the fiscal year,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Sections of the 10-K

A

1) Business summary that describes the company’s operations, business segments, history, real estate, marketing, research and development, competition and employees
2) The management discussion and analysis that provides a good explanation of the company’s operations and financial outlook
3) Financial statements
4) Management team and legal proceedings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What does the filing time of the 10-Q and 10-K depend on?

A

market cap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is the the primary resource for investors to determine if they want to invest in that business?

A

reports to the SEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

less expensive software

A

Electronic checkbooks (e.g., Quicken: checkbook only)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

moderate system

A

Basic general ledger system (e.g., QuickBooks or Peachtree)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

large and expensive

A

ERP systems (e.g., SAP, Oracle, JD Edwards)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

National Institute of Standards and Technology (NIST)

A

1) Federal agency within the US Department of Commerce

2)Published a comprehensive cybersecurity framework (CSF) in response to President Obama’s executive order

3) Adoption is voluntary

4) HOWEVER, many companies have adopted this standard to govern their IT security AND most audit firms have adopted this as the standard by which they will measure their clients IT security efforts

5) Designed to not only to keep the cyber criminals out of your data, but to assure nothing happens internally to make your computing environment unavailable or subject to processing errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What are the 5 governing controls of the NIST Cyber Security Framework?

A

Identify
Protect
Detect
Respond
Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Identify

A

Understanding by management on how to manage cybersecurity risk to systems, assets, data, and capabilities

1) Asset Management
2) Business Environment
3) Governance
4) Risk Assessment
5) Risk Management Strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Protect

A

Standards to ensure delivery of critical infrastructure services

1) Access Control
2) Awareness and Training
3) Data Security
4) Info Protection Processes and Procedures
5) Maintenance
6) Protective Technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Detect

A

Identify the occurrence of a cybersecurity event

1) Anomalies and Events
2) Security Continuous Monitoring
3) Detection Processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Respond

A

Action regarding a detected cybersecurity event

1) Response Planning
2) Communications
3) Analysis
4) Mitigation
5) Improvements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Recover

A

Maintain plans for resilience and restore any capabilities or services

1) Recovery Planning
2) Improvements
3) Communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Top 20 IT Security Controls

A

1) Inventory of Authorized Devices

2) Inventory of Authorized Software

3) Secure Configurations for mobile devices, servers, laptops, etc

4) Continuous Vulnerability Assessments

5) Controlled Use of Administrator Privileges

6) Monitoring of Server Audit Logs

7) Email Protection (Phishing) and web site restrictions

8) Control the Spread of Malware

9) Management of Network Ports

10) Effective Backup and Recovery Processes

11) Configure Routers and Firewalls

12) Keep Bad Guys Out of your Network and Alert for Intrusions (IDS, SIEM)

13) Use Data Loss Prevention Tools

14) “Need-to-Know” Only Access

15) Secure Wireless Access Points

16) Actively Manage User Accounts

17) Develop Plan to Assess/Remediate Gaps in IT Security

18) Application Software Security

19) Cyber Incident Response & Management

20) Penetration Tests & Simulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

IT systems usually consist of (2)

A

hardware and software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

hardware

A

Digital computer and peripheral equipment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

software

A

Various programs and routines for operating the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

two types of software

A

systems and application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

systems software

A

Programs that control and coordinate hardware components and provide support to application software
Operating system (Examples: Unix, Windows)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

application software

A

Programs designed to perform a specific data processing task
Written in programming language (Example: Java)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

input/output devices

A

1) card readers
2) terminals
3) electronic cash registers
4) optical scanners
5) magnetic tape drives
6) magnetic disk drives
7) optical compact disks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

central processing unit (CPU)

A

1) Arithmetic unit
2) Control unit
3) Primary storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

auxiliary storage

A

1) magnetic disks
2) magnetic drums
3) magnetic tapes
4) optical compact disks
5) flashdrives
6) cloud storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

system characteristics

A

Batch processing
Online capabilities
Database storage
IT networks
End user computing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

batch processing

A

Input data gathered and processed periodically in groups

Often more efficient than other types of systems but does not provide up-to-minute information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

example of batch processing

A

Accumulate all of a day’s sales transactions and process them as a batch at end of day

Weekly moving students in or out of canvas sections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

two types of online capabilities

A

online transaction processing (OLTP) and online analytical processing (OLAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

online transaction processing (OLTP)

A

Individual transactions entered from remote locations
Online real time (Example: Bank balance at ATM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

online analytical processing (OLAP)

A

Enables user to query a system for analysis
Example: Data warehouse, decision support systems, expert systems (SW: Expert Choice)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

database system

A

allows users to access same integrated database file
Eliminates data redundancy
Creates need for data administrator for security against improper access
Commonly used term “Data Warehouse”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

networks

A

Computers linked together through telecommunication links that enable computers to communicate information back and forth
WAN, LAN
Internet, intranet, extranet, VPN, Cloud computing, …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

electronic commerce

A

Involves electronic processing and transmission of data between customer and client
Electronic Data Interchange (EDI)
Soon arriving on the scene – Block Chain Technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

end user computing

A

1) User departments (such as the Accounting Department) are responsible for the development and execution of certain IT applications (mostly on PCs)
Involves a decentralized processing system

2) IT department generally not involved

3) Controls needed to prevent unauthorized access and unauthorized modifications

4) Examples: Excel – the “IT solution” of choice for many businesses (large and small). Cloud-based solutions that allow company data to be easily processed with just the use of a provided credit card. Various “off-the-shelf” systems such as Access, Tableau, and UiPath (Robotic Process Automation) that allow the user to create their own “system” for analyzing data and potentially using that data to book accounting entries. HIGH FOCUS AREA for auditors due to risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

internal control in IT

A

Separation of duties
Clearly defined responsibilities
Augmented by controls written into computer programs

*** Key is preserving data integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

audit trail impact

A

Can affect audit procedures
Consulting auditors during design stage of IT-based system helps ultimate auditability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

computer-based fraud

A

History shows the person responsible for frauds in many situations set up the system and controlled its modifications
Segregation of duties – KEY!
Programming separate from controlling data entry
Programming separate from the “move to production” of software changes
Business unit sign-off/approval of all changes/updates
Computer operator from custody or detailed knowledge of programs
If segregation not possible need:
Compensating controls like batch totals
Organizational controls not effective in mitigating collusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

if segregation is not possible what is needed

A

Compensating controls like batch totals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

general control activities

A

Access to programs and data

Developing new programs and systems

Changing existing programs and systems

IT operations controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

application control activities

A

programmed (automated) control activities, manual follow-up activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

programmed (automated) control activities

A

input validation checks, batch controls, processing controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

input validation checks

A

Limit test (predefined upper and lower limit)
Validity test (data entered compared to master data)
Allowed character test (numeric or alpha or combo)
Missing data test (are all required fields entered)
Self-checking number (last digit in account # is mathematical calc of preceding numbers)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

batch controls

A

Item count (record count)
Control total (total sales processed)
Hash total (similar to control total, but has no intrinsic meaning – ex: sum of social security numbers)

79
Q

processing controls

A

Input controls noted above to assure data is processed accurately by the IT application

80
Q

manual follow-up activities

A

Exception reports follow-up

81
Q

user control activities

A

Designed to test the completeness and accuracy of IT-processed transactions
Designed to ensure reliability
Reconciliation of control totals generated by system to totals developed at input phase
Example: Sales invoices generated by IT-based system tested for clerical accuracy and pricing by the accounting clerk
Important for auditors to determine how does the user gain comfort that key reports that are computer generated contain accurate data

82
Q

example of Reconciliation of control totals generated by system to totals developed at input phase

A

Sales invoices generated by IT-based system tested for clerical accuracy and pricing by the accounting clerk

83
Q

control in decentralized and single workstation systems

A

Involves use of one or more user operated workstations to process data

84
Q

needed controls for decentralized and single workstation systems

A

Train users
Document computer processing procedures
Backup files stored away from originals
Authorization controls (i.e. passwords)
Prohibit use of unauthorized programs
Use antivirus software
Lockdown workstations from installation of unauthorized software or for the user’s ability to turn off anti-virus programs

85
Q

techniques for testing application controls

A

Auditing Around the Computer–Manually processing selected transactions and comparing results to computer output

Manual Tests of Computer Controls–Inspection of computer control reports and evidence of manual follow-up on exceptions

Auditing Through the Computer–Computer assisted techniques

86
Q

auditing through the computer - computer assisted techniques

A

Test Data
Integrated Test Facility
Controlled Programs (or testing controls w/in program)
Program Analysis Techniques
Tagging and Tracing Transactions
Generalized audit software – parallel simulation

87
Q

using generalized audit software to perform substantive procedures

A

Examine client’s records for overall quality, completeness and valid conditions
Rearrange data and perform analyses
Select audit samples
Compare data on separate files
Compare results of audit procedures with client’s records

88
Q

typical inventory audit procedures using generalized audit software

A

1) observe the physical count, making appropriate test counts

2) test the mathematical accuracy of the inventory extensions and footings

3) compare the auditors’ test counts to the inventory records, book to floor

4) compare the client’s physical count data to the inventory records, floor to book

5) perform a lower of cost or market test by obtaining a list of current costs from per item from vendors

6) test purchase and sales cutoff

7) confirm the existence of items located in public warehouses

8) analyze inventory for evidence of obsolescence or slow moving items. Companies are generally reluctant to write off such items due to income statement impact

89
Q

observe the physical count, making appropriate test counts

A

determine which items are to be test counted by selecting from the inventory file a sample of items that provides the desired dollar coverage

90
Q

test the mathematical accuracy of the inventory extensions and footings

A

for each item in the inventory file, multiply the quantity on hand by the cost per unit and add the extended amounts

91
Q

compare the auditors’ test counts to the inventory records, book to floor

A

organize the auditors’ test counts and compare them to inventory records

92
Q

compare the client’s physical count data to the inventory records, floor to book

A

compare the quantity of each item counted to the quantity on hand in the inventory file

93
Q

perform a lower of cost or market test by obtaining a list of current costs from per item from vendors

A

compare the current costs per unit to the cost per unit in the inventory file; print out the extended value for each item, using the lower of the two unit costs, and add extended amounts

94
Q

test purchase and sales cutoff

A

list a sample of items on the inventory file for which the date of last purchase or last sale is on, or immediately before, the date of the physical count

95
Q

confirm the existence of items located in public warehouses

A

list items located in local warehouses and print confirmations

96
Q

analyze inventory for evidence of obsolescence or slow moving items. Companies are generally reluctant to write off such items due to income statement impact

A

list items from the inventory file for which the turnover ratio (quantity sold divided by quantity on hand) is low for which the date of last sale indicates a lack of recent transactions

97
Q

controls when using cloud computing

A

management must take responsibility for controls

must be coordinated and integrated with provider

98
Q

computer service centers

A

provide outsourced processing/computer infrastructure services to customers who decide not to invest in their own processing of particular data. Such providers are referred to as Infrastructure as a Service

99
Q

examples of computer service centers

A

Microsoft Azure; Amazon Web Services; Google

100
Q

outsourced service provider

A

also offer a Software as a Service (SaaS) solution. Rather than having the software installed locally, the software is owned and housed by the 3rd party in their own IT environment

101
Q

outsourced service provider examples

A

QuickBooks on-line; Microsoft 360; Drips

102
Q

what are computer service centers and outsourced service providers?

A

cloud service providers which opens up significant risk for the auditor to evaluate

103
Q

cloud computing key concerns

A

How does the cloud provider and the client assure the completeness, accuracy and validity of the processed data.

What controls are in place on the client’s side concerning the above (Some cloud providers actually specify these in their contracts)

How is data returned back to the client for inclusion in their financial system

What ITGC’s are in place to protect data while in transit and at rest from unauthorized viewing or manipulation while in the possession of the cloud provider

104
Q

what reports are the auditor’s best friend

A

SOC 1 and/or SOC 2

105
Q

what makes the cloud a very attractive option

A

its ease of setup for new applications and cost effectiveness

106
Q

SSAE #18 report

A

For Service Providers that impact a company’s internal control environment

107
Q

examples of service providers

A

Payroll Service
Bank Trust Departments
Claims Processing Centers
Data Centers
Third Party Administrators, etc.
In general, any provider that’s in the cloud

108
Q

SOC 1 Report

A

For providers that “crunch the numbers” and provide the results back to the company for inclusion in their financials

109
Q

SOC 2 Report

A

Mainly for companies that provide server hosting, such as Amazon Web Services, Microsoft Azure, & Google where you are mainly concerned with availability and security of your data

110
Q

Type 1 and Type 2 Reports

A

Type 1’s are basically worthless in that it only covers a point in time and only looks at control design; Type 2 looks at the functioning of controls over a period of time, much like a traditional audit, AND offers an opinion by the auditor on the effectiveness of those controls

111
Q

IT Auditor certification

A

110 Question Exam – Not just for folks with IT background
Distinguish yourself from your colleagues with specific knowledge in applying a risk based approach to plan, execute, and report on engagements involving IT technology

112
Q

sources of cash

A

General checking account
Payroll checking accounts
Petty cash
Savings accounts

113
Q

cash equivalents

A

Money market funds
Certificates of deposit
Savings certificates

114
Q

objectives for the audit of cash

A

Consider inherent risk, including fraud risks, related to cash
Obtain understanding of internal control over cash
Assess the risks of material misstatement of cash and design compliance & substantive procedures that*:
Substantiate the existence of recorded cash and occurrence of the related transactions
Establish the completeness of recorded cash
Verify the cutoff and accuracy of cash transactions
Determine that the client has rights to recorded cash
Determine that the presentation and disclosure of cash, including restricted funds, are appropriate

115
Q

why do we devote a large number of audit hours to cash

A

It is often the “heart of the organization”: liabilities, revenues, expenses and most other assets flow through cash
Our client’s most liquid asset so greater temptation for misappropriation
High risk account – cash gets “legs”

116
Q

finance and accounting departments work together to provide assurance that

A

All cash that should have been received was in fact received, recorded accurately and deposited promptly
Cash disbursements have been made for authorized purposes only and have been properly recorded
Cash balances are maintained at adequate, but not excessive, levels by forecasting

117
Q

9 guidelines for internal control over cash

A

Do not permit any one employee to handle a transaction from beginning to end.

Separate cash handling from recordkeeping.

Centralize receiving of cash to the extent practical.

Record cash receipts on a timely basis.

Encourage customers to obtain receipts and observe cash register totals.

Deposit cash receipts daily

Make all disbursements by check or electronic funds transfer, with the exception of small expenditures from petty cash.

Have monthly bank reconciliations prepared by employees not responsible for the issuance of checks or custody of cash. The completed reconciliation should be reviewed promptly by an appropriate official.

Monitor cash receipts and disbursements by comparing recorded amounts to forecasted amounts

118
Q

Bank rec add what to per bank statement

A

deposit in transit, bank errors

119
Q

Bank rec subtract what to per bank statement

A

outstanding checks, bank errors

120
Q

bank rec add what to per books

A

notes collected by bank, book errors

121
Q

bank rec subtract what to per books

A

NSF (bounced) checks, check printing or other service charges, book errors

122
Q

bank account reconciliation procedures

A

Is it being done timely and consistently (for a monthly control, pull a random sample of 3 months – may want to stratify the sample for entities with large number of bank accounts – not all bank accounts carry the same value)

Typically, you would like to see it being done prior to the final closing of the books
This will allow for major issues to be reached prior to issuing the 10K/10Q

Is it being done for ALL bank accounts

Is there a “preparer” and a “reviewer” for it, in other words, is there another set of eyes on it

SOD issue: it must be performed by someone who has no responsibility or authority over the cash collection and disbursement process? This is KEY to assure validity of the recon

Is supporting documentation attached to it?
Copy of Bank Statement (Auditor should ask employee to log into bank’s web site and observe the on-line version of the bank statement to assure it matches what’s attached to it

Copy of G/L showing cash per books

What follow-up action is taken for outstanding checks or for NSF checks?

Developing technology – Robotic Process Automation (RPA) – can automate this relatively mundane but very important task

If your client is using RPA, also make contact with your IT audit group to review the integrity of the automated process

The same processes as noted above should still be observe

123
Q

examples of cash audit procedures

A

Audit of Bank Reconciliation

Audit of Check Disbursements: 3-way match
Purchase Order
Receiving Report
Invoice

124
Q

cash disbursement process

A

purchase requisition

purchase order

notify vendor

vendor shipment

goods receipt (no access to other role)

invoice receipt

payment to vendor

125
Q

receiving document

A

The item quantity is confirmed by the company’s Receiving Department and manually entered line-by-line into the company’s ERP system under that PO number. In addition, once all items are received, the PO is closed in the system to prevent incidents of fraud such as re-ordering of the same materials without going through the proper approval process

126
Q

invoice

A

3 Way Match Documents
PO
Receiving Report
Invoice

127
Q

2 way match process

A

Similar in concept to a 3-way match process in that there needs to be a valid PO for the purchase. However, two major differences:
Used for SERVICES vs materials
NO receiving report

invoices are usually automatically routed to a designated individual to confirm the services were rendered. Once confirmation is received, and the PO is not over-spent, the invoice is paid.

128
Q

cash disbursement

A

is only initiated via ACH, wire transfer or paper check after the 3-way match has been successfully completed and the invoice presented for payment. This is typically an automated process in an ERP system (SAP, Oracle, etc)

129
Q

canceling a document

A

Once paid, the invoice is this. In addition, once the check is processed, it also is this (by the bank). Most companies use Positive Pay (verification of $ amount) and Positive Payee (verification of payee’s name)to prevent fraudulent cashing of the check

130
Q

proof of cash

A

sometimes referred to as a 4 Column Reconciliation is essentially a roll forward of each line item in a bank reconciliation from one accounting period to the next, incorporating separate columns for cash receipts and cash disbursements

Highly recommended where volume of transactions and amount of cash is very large or where fraud is suspected

131
Q

proof of cash equation

A

Beginning balance + Cash receipts in the period - Cash disbursements in the period = Ending balance

132
Q

what is proof of cash used to identify

A

Cash receipts and disbursements recorded in the accounting records, but not on the bank statement.
Cash deposits and disbursements recorded on the bank statement, but not on the accounting records.
Cash receipts and disbursements recorded at different amounts by the bank than in the accounting records

133
Q

internal controls over cash receipts

A

cash sales, collections of receivables

134
Q

internal controls over cash sales

A

Involvement of two or more employees
Cash Registers
Electronic point of sale systems

135
Q

internal controls over collection of receivables

A

Initial listing of cash receipts
Custody and depositing of cash receipts
Maintenance of customer account records
Reconciliation of customers’ ledgers with control accounts
Mailing monthly statements to customers
Collection activity and past-due accounts
Direct receipt of funds by financial institution

136
Q

internal control over cash disbursements

A

Segregation of duties most critical
Payment of obligations by check, credit card, or electronic funds transfer vs paper cash
Use of pre-numbered checks
Match of purchase order and receiving document with vendor’s invoice (3 way match – automated process)
Review of supporting documents by authorized check signer or other designated invoice approver (for non-3 way match invoices)
Cancel of supporting documents (PO and Invoice)
Authorized check signer should mail checks
Not always feasible in large corporations where checks are printed off-site using an “electronic signature”
Monthly bank reconciliation

137
Q

tests of controls over cash

A

Test the accounting records and reconciliations by reperformance.
Compare the details of a sample of cash receipts listings to the cash receipts journal, accounts receivable postings, and authenticated deposit slips.
Compare the details of a sample of recorded cash disbursements in the cash payments journal to account payable postings, purchase orders, receiving reports, invoices, and paid checks.

138
Q

tests of balances

A

Reconcile cash balances to the general ledger.
2. Confirm cash balances with financial institutions.
3. Obtain or prepare bank reconciliations as of the balance sheet date and consider the need to reconcile for additional months.
4. Obtain a cutoff bank statement containing transactions of at least seven business days subsequent to balance sheet date.
5. Count and list cash on hand.
6. Verify the client’s cutoff of cash receipts and cash disbursements.
7. Analyze bank transfers for the weeks around year end.
8. Investigate any checks to/from related parties.
9. Evaluate proper financial statement presentation and disclosure of cash.

139
Q

obtain analyses of cash balances and reconcile them to general ledger

A

existence and accuracy

140
Q

send standard confirmation forms to financial institutions. obtain reconciliations of bank balances and consider reconciling bank activity. obtain bank cutoff statement. count cash on hand

A

existence, occurrence, accuracy, cutoff, and rights

141
Q

verify the client’s cutoff of cash transactions. analyze bank transfers occurring year end

A

cutoff, existence, occurrence, rights and completeness

142
Q

investigate payments to related parties. evaluate financial statement presentation and disclosure

A

presentation and disclosure

143
Q

bank cutoff statement

A

a bank statement subsequent to the date of the balance sheet

144
Q

Check 21 Act

A

Checks may be processed electronically vs physically moving a paper check from bank to bank which is costly and time consuming
Electronic processing creates a substitute check which is an electronic image of the original check
You no longer receive your original cancelled check from the bank
Legal equivalent of original check for all purposes
Audit implications
Need to rely on substitute check for evidence of check
Almost impossible for clients to kite checks (manipulate bank balances to conceal cash shortage) due to enhanced speed for which checks are now cleared

145
Q

Kiting

A

Manipulations that utilize temporarily overstated bank balances to conceal cash shortage or meet short-term cash needs

these schemes rely upon the existence of a “float period” in which transactions are not processed in real time

Increased electronic processing has made this more difficult through reducing (or eliminating) the float period

Auditors can detect this by preparing a schedule of bank transfers for a few days before and after balance sheet date

146
Q

what is the first indication that fraud is being committed

A

the observation that someone is living beyond their means

147
Q

one standard deviation from the mean

A

accounts for 68% of the set

148
Q

two standard deviations from the mean

A

accounts for 95% of the set

149
Q

three deviations from the mean

A

accounts for 99.7% of the set

150
Q

audit sampling

A

Applying a procedure to less than 100% of a population for the purpose of drawing a general conclusion about the account balance, or the entire group of transactions, based on the characteristics detected in this

allows an auditor to draw conclusions about transactions or balances without incurring the time and cost of examining every transaction

151
Q

when is sampling used in field audits

A

when it is not efficient to review 100% of the record

152
Q

audit sampling

A

Used to estimate some characteristic of the population, either:
Qualitative: attribute sampling
Compliance Test: Tests of Controls
Quantitative: variables sampling
Substantive Test: Tests of Account Balances

153
Q

representative sample

A

one in which the characteristics in the sample of audit interest are approximately the same as those of the entire population

154
Q

what is the auditor’s primary objective when selecting a sample to review

A

making sure it is representative of the entire population

155
Q

two risks cause a sample to be non-representative

A

Sampling risk
Non-sampling risk

156
Q

sampling risk

A

Risk that an auditor reaches an incorrect conclusion because the sample is not representative of the population
Risk that the auditors’ conclusions based on a sample may be different from the conclusion they would reach IF they examined every item in the population

157
Q

two types of sampling risk

A

assessing risk too high and assessing risk too low

158
Q

assessing risk too high

A

Relates to the efficiency of the audit. Results in the auditors performing more substantive testing than necessary. Does not impact audit effectiveness

159
Q

assessing risk too low

A

Relates to the auditors assessing the control risk lower than it actually is which lessens the probability of detecting material financial misstatements. Has huge implications for the effectiveness of audit

160
Q

non-sampling risk

A

Risk that the audit tests do not uncover existing exceptions in the sample, caused by:
Auditor failure to recognize errors or exceptions
Inappropriate or ineffective audit procedures
Basically, the auditor messed up the testing

161
Q

statistical sampling

A

Applies the laws of probability theory to assist the auditor in designing a sampling plan and subsequently evaluating the results of the sample

162
Q

non-statistical sampling

A

Solely based on the auditor’s judgment

163
Q

judgmental sampling

A

The auditor estimates sampling risk by using professional judgment rather than statistical techniques

Provides no means of quantifying sampling risk

Best practice: After you select the statistical sample, review all data from the entire population and find the “outliers”

Example: Look for data points that are in the far right side of the bell curve (3 standard deviations off the mean)

164
Q

advantages of statistical sampling

A

Allows auditors to measure and control sampling risk which helps:
Design efficient samples (IE: You don’t have an unlimited amount of time to do your work)
Measure sufficient amount of evidence
Objectively evaluate sample results

165
Q

selection of random sample

A

results in a statistically unbiased sample that may or may not be a representative sample

KEY: You have to make sure you have the entire population of the data your are trying to audit prior to using any methodology to select your sample. In other words “garbage-in; garbage-out”
Not always as easy at it looks

Data in ERP system may be segregated by cost center, geographic area, company code, business segment, etc.

Random sample techniques
Random number tables – IE: “stone tablet” approach.

Although in your book, we will not cover since there are much better tools readily available
Random number generators – See Excel illustration
Systematic selection

166
Q

two types of statistical sampling plans

A

attributes sampling and discovery sampling

167
Q

attributes sampling (control testing)

A

“On” or “Off” – Look for the presence or the absence of some attribute (EX: Signature, Bill of Lading, etc)

168
Q

discovery sampling (special purpose testing)

A

Designed to detect at least one error in population or for critical deviations that are not expected to be frequent in number
Mainly used for fraud/forensics testing

169
Q

classical variables testing (substantive testing) mean per unit estimation

A

Helpful to estimate the appropriate account balance when the underlying documentation is not available.
Total population of 3,000 items in accounts receivable
Sample size is 50.
Adding up the individual values of the 50 items, you get a total of $2,000; therefore, your mean is $40 ($2,000/50). Your mean estimate of the true value of accounts receivable is $120,000 ($40 x 3,000)

170
Q

application of classical variables testing mean per unit estimation

A

Confidence level is 95 percent
Error rate is 10 percent
Conclusion: you can say that you’re 95 percent confident that the total value of accounts receivable is $120,000, plus or minus $12,000 ($120,000 times your error rate of 10 percent)

171
Q

classical variables testing ratio estimation (extrapolation)

A

Applies the sample ratio to an entire population
Sample for any of your client’s accounts shows errors of $1,000 in a total sample of $10,000, your misstatement ratio is 10 percent ($1,000/$10,000)

172
Q

classical variables testing ratio estimation (extrapolation) application

A

The above ratio is applied to the entire population.
If the entire population totals $50,000, your projected misstatement of the entire population, is $5,000 ($50,000 x 10 percent)
If this is lower than your tolerable error rate, you are good to go

173
Q

classical variables testing difference estimation

A

Similar to ratio estimation
However, it incorporates the items in the population.

174
Q

classical variables testing difference estimation

A

Total population consists of 5,000 items and your sample consists of 1,000 items. Your audit procedures find errors totaling $500. The projected misstatement is $2,500 [($500/1000 items) = $.50/item x 5,000 items].
If this is less than your tolerable error rate, you are good to go

175
Q

classical variables testing Probability-proportional-to-size (PPS) sampling (Substantiate Testing – sometimes called “monetary unit sampling”)

A

defines the sampling unit as each individual dollar making up the book value of the population
With this method, the bigger the size of the unit, the higher the chance it has of being included in the sample. For this method to bring increased efficiency, the measure of size needs to be accurate.
Contrast to random sampling where each object (invoice, inventory item, etc) has an equal probability of being selected

176
Q

allowance for sampling risk employed

A

Amount used to create a range, set by “+ or –” limits from the sample results, within which the true value of the population characteristic being measured is likely to lie (for example, plus or minus 2% error)
The wider the interval, the more confident that the true population falls within that interval; however, the increased interval size also leads to a less precise conclusion:
Sample deviation = 2%
If Allowance for Sampling Risk = +/- 1%; Actual deviation range = 1% to 3%
If Allowance for Sampling Risk = +/- 2%; Actual deviation range = 0% to 4%

Can be used to construct a dollar interval

177
Q

sample size

A

Significant effect on Allowance for Sampling Risk and Sampling Risk

As it increases, Sampling Risk and Allowance for Sampling Risk decreases

affected by characteristics of population
General rule: as population increases, it increases

178
Q

when planning the sample consider

A

The relationship of the sample to the relevant audit objective
Materiality or the maximum tolerable misstatement or deviation rate
Allowable sampling risk
Characteristics of the population

179
Q

requirements of audit sampling plans

A

Select sample items in such a manner that they can be expected to be representative of the population
Sample results should be projected to the population
Items that cannot be audited should be treated as misstatements or deviations in evaluating sample results
Nature and cause of misstatements or deviations should be evaluated

180
Q

other sample selection methods

A

haphazard selection, block selection, stratification

181
Q

haphazard selection

A

Select items on an arbitrary basis, without any conscious bias

182
Q

block selection

A

all items in a selected time period, numerical sequence or alphabetical sequence
Least desirable for use in control/substantiate testing; primaly use for fraud/ forensic investigations

183
Q

stratification

A

Technique of dividing population into relatively homogeneous subgroups

184
Q

advantages of classical variables sampling

A

when there are many misstatements in the population, it will result in a small sample size

items with zero and negative balances do not require any special treatment

sample size may be somewhat easier to expand if that becomes necessary

185
Q

disadvantages of classical variables sampling

A

to determine the sample size, the standard deviation of the population must be estimated

to evaluate results, the sample’s standard deviation must be calculated

it (especially means per unit) must be stratified, requiring a use of a computer to perform the computations

186
Q

advantages of monetary unit sampling (MUS)

A

the technique is generally easier to use

no estimate of the standard deviation of the population is needed

the technique automatically stratifies the population because items are selected based on their dollar amount

when there are few misstatements, the technique will generally result in a smaller sample size

sample selection can begin before the entire population is available

187
Q

disadvantages of monetary unit sampling (MUS)

A

special considerations are required to handle understated accounts and negative balances

each item in the population must have a book value

when misstatements are found, the technique might overstate the allowance for sampling risk

for accounts with a moderate number of misstatements, the sample size may exceed that of classical techniques

188
Q

audit risk =

A

inherent risk x control risk x detection risk

189
Q

audit risk

A

The allowable audit risk that a material misstatement might remain undetected for the account balance and related assertions

190
Q

inherent risk

A

the risk of a material misstatement in an assertion, assuming there were no related controls

191
Q

control risk

A

the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by internal control

192
Q

detection risk

A

the risk that the auditors’ procedures will fail to detect a material misstatement if it exists

193
Q
A