IC- Concepts and Standards Flashcards
List the advantages of narratives (memos) to document the auditor’s understanding of internal controls.
1-Tailored to client;
2-Can be as detailed or as general as desired;
3-Easy to prepare;
4-Easy to read.
What is the purpose of performing a walkthrough?
Obtain some feedback as to whether the way the auditor has understood (and documented) the entity’s internal controls is consistent with the way the entity is actually processing such transactions.
List the disadvantages of narratives (memos) to document the auditor’s understanding of internal controls.
- Writing such a memo is rather unstructured, lacking a systematic approach;
- It may be rather easy to overlook relevant internal control issues.
Identify 3 ways auditors might document their understanding of internal controls?
- Flowcharts of transaction cycles;
- Internal control questionnaires;
- Narrative write-ups (memos).
Identify 2 reasons for assessing control risk at the maximum level.
1-The auditor believes that the design of internal control is ineffective; or
2-The auditor believes that reliance on internal control (and performing applicable tests of control) is not an efficient audit strategy compared to a wholly substantive audit approach.
When should the auditor assess the design effectiveness of internal control?
In planning every audit under GAAS, as a basis for determining the nature, timing, and extent of further audit procedures.
When should the auditor assess the operating effectiveness of internal control?
Whenever the auditor contemplates a reliance strategy (which means the same thing as “assessing control risk at less than the maximum level”) and only after performing the appropriate tests of control.
What are some inherent limitations of internal controls?
- Faulty human judgement
- human error
- collusion by two or more people
- inappropriate management override of controls
Definition of substantive procedures and what they comprise?
An audit procedure designed to detect MM at the assertion level. They comprise:
Tests of details (transactions, account balances,etc)
Substantive analytical procedures (analytical procedures required at the start and review, while substantive procedures during the audit use professional judgement)
List some examples of appropriate responses by the auditor to risks of material misstatement at the financial statement level.
Assign more experienced staff to the engagement;
Provide closer supervision;
Use specialists;
Use more unpredictable audit procedures.
What are the 3 different types of audit procedures?
Risk assessment procedures
Tests of control
Substantive procedures
Define “significant deficiency.”
A deficiency (or combination of deficiencies) in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
What is meant by the term deficiency in design?
When a control necessary to meet the control objective is missing, or when the control objective is not always met, even if the control operates as designed.
Define material weakness.
A deficiency (or combination of deficiencies) in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.
Describe the timing of the required communication of significant deficiencies in internal control.
Under AICPA professional standards, written communication is required no later than 60 days after the audit report release date (including matters communicated orally during the audit).
What is meant by the term deficiency in operation?
When a properly designed control does not operate as designed, or when the person performing the control does not have the authority or competence to effectively perform the control.
When using the work of the internal audit function to obtain audit evidence, what three matters should the external auditor evaluate?
1-Objectivity—the internal audit function’s organizational status and the objectivity of the internal auditors;
2-Competence of the internal auditors; and
3-Whether the internal audit function applies a “systematic and disciplined approach, including quality control.”
Objective of AU-C 315, Understanding the Entity and Its Environment
To identify/assess the RMM, whether due to fraud or error, at the FS/assertion level through understanding entity and environment, including the entity’s IC, thereby providing a basis for designing/implementing responses to the assessed RMM
What are the 3 primary objectives of system of IC at the entity level?
[ACE] in the hole:
Accurate and reliable financial reporting
Compliance w/ applicable laws/regulations
Efficient and effective operations
Events and Transactions (5 assertions):
[CPA-CO] I/S Completeness Period cutoff Accuracy Classification Occurrence
Account Balances (4 assertions):
[RACE] B/S Rights and Obligations Allocation and Valuation Completeness Existence
Presentation (5 assertions):
[RACOU-n] Notes Rights and Obligations Accuracy and Valuation Completeness Occurrence Understandably and Classification
As far as IC, Mngmt is responsible for the …
[DIM]
Development, Implementation, and Maintenance of IC, while the auditor seeks reasonable assurance that IC are achieving objectives (ACE)
5 components of IC
[CRIME]
control Environment- “tone at the top” [CHOPPER]
Risk assessment- internal and external
Control activities- policies/procedures carried out [PIPS, ARCC-S]
Information and communication
Monitoring controls/if they are effective
Control Environment
[CHOPPER] Foundation for all other components Commitment to competence HR policies/practices Organizational structure Participation of TCWG Philosophy of mngmt/operating style Ethical values/integrity Responsibility assignment
Control Activities
[PIPS]
Performance reviews- controls evaluate performance against a criteria
Information processing- controls that prevent processing of info unless criteria are met
Physical controls- limit access to assets
Segregation of duties [ARCC-S Authorization, Recording, Custody, Comparisons, Segregate all of these
Risk Assessment
The entity’s, not the auditors done during planning. Obtain understanding about whether entity has process for identifying, est the sig., assessing likelihood of occurrence, and actions taken.
- If has process, then understand what failed (MW or SD?)
- If no process, does the absence represent a SD or MW?
Steps to understanding of entity’s IC structure:
- Obtain understanding of all 5 components [CRIME] through risk assessment procedures (form? [AIIO] is risk assessment procedures: AP, Inquiries, Inspection, Observation)
- Document the understanding of IC [FIND]: Flowchart, ICQ, Narrative, Decision tree
- Assessing RMM (No rely=high RMM=more sub testing; Yes rely=low RMM=combined approach)
- Tests of controls (public issuers must perform)- test operating effectiveness through [RIIO]: Reperformance, Inspection, Inquiry, Observation (most effective)
- Reassess RMM to determine DR- based on results of #4, modify sub procedures; Rely high, CR low, DR high, Sub low.
- Document basis for conclusions- must document assessment of RMM, basis for assessment, sig risks identified, risks that req ToC to obtain suff evidence.
DR in equation form
RMM x DR=AR
or.. AR/RMM = DR
What are the internal control inherent limitations
[COCO] Collusion Override by management Competence/human error Obsolescence * Reasonable assurance and cost/benefit factor
List managements assertions
[U-PERCV] Understandability and classification Presentation and disclosure Existence or occurrence Rights and obligations Completeness and cutoff Valuation, allocation and accuracy
The acceptable level of detection risk is inversely related to the…
Assurance provided by substantive tests.
* DR is the risk of overlooking a mistake, as sub testing increases DR decreases a
What opinion is expressed when there is a material weakness on effectiveness of IC report for an integrated audit of a nonissuer?
Adverse
Diff between information processing controls and segregation of duties?
Info processing is designed to prevent certain information from being processed, in the form of fulfilling a sales order, without adhering to a specific control, obtaining credit approval.
Segregation of duties involves making certain that the same parties are not responsible for two or more of functions involving ARCC-s
What type of work does internal auditor perform?
AU-C 610
Procedures to obtain understanding of the entity
Procedures when assigning risk
Substantive procedures
What are the risk assessment procedures?
[AIIO] AP Inquiries Inspection Observation of applicable controls
How to document the understanding of IC?
[FIND] Flowcharts IC questionnaire Narrative or memo Decision tree
How to test of controls?
Test cycles for ARCC-s by doing RIIO (reperformance, inspection, inquiry, observation)
PCAOB has to do this
Test operating effectiveness of design (substance, not form)
For an issuer (public) company audit of internal control, walkthroughs provide the auditor with primary evidence to
Evaluate the effectiveness of the design of controls and confirm whether controls have been implemented.
