Internal Control Communications and Reports - Gleim Chapter 9 Flashcards
Green, CPA, is auditing the financial statements of Ajax Co. Ajax uses the DP Service Center to process its payroll. DP’s financial statements are audited by Blue, CPA, who recently issued a report on DP’s policies and procedures regarding the processing of other entities’ transactions. In considering whether Blue’s report is satisfactory for Green’s purposes, Green should
Not rely on DP’s controls.
Perform tests of controls at the DP Service Center.
Review the audit plan followed by Blue.
Make inquiries about Blue’s professional reputation.
Make inquiries about Blue’s professional reputation. The user auditor should be satisfied about (1) the service auditor’s professional competence and (2) the adequacy of the standards governing the type 1 or type 2 report.
An auditor’s report on an examination of internal control over financial reporting is least likely to be issued as a result of
A request to apply agreed-upon procedures relating to the effectiveness of an entity’s internal control.
A review of the annual financial statements of a large corporation.
An engagement to examine the effectiveness of an entity’s internal control based on criteria established by a regulatory body.
A request by management to report on internal control effectiveness.
A review of the annual financial statements of a large corporation. Auditors are engaged to audit and express an opinion on, rather than review, the annual statements of large corporations (issuers). A review is appropriate for nonissuers that seek a report expressing only limited assurance on financial statements, not internal control
The auditor of an issuer must express an opinion on the effectiveness of internal control. The opinion should be expressed as of a specified date or for a specified period of time, both or neither?
As of a specified date. According to PCAOB’s AS No. 5, the report states the auditor’s opinion on whether the entity maintained, in all material respects, effective internal control over financial reporting as of the specified date based on the control criteria. The date typically is the end of the fiscal period. For a nonissuer, the practitioner may examine the effectiveness of internal control during a period of time (AT 501).
Which of the following matters (one, both or neither) is an auditor required to communicate to those in the entity charged with governance?
Disagreements with management about matters significant to the entity’s financial statements that have been satisfactorily resolved -or -
Initial selection of significant accounting policies in emerging areas that lack authoritative guidance
Both I and II. AU-C 260, The Auditor’s Communication with Those Charged with Governance, states that the matters to be discussed include (1) an overview of the planned scope and timing of the audit; (2) the auditors’ responsibilities regarding the audit, such as performing the audit to obtain reasonable, not absolute, assurance about whether the statements are fairly presented; (3) significant accounting policies; (4) sensitive accounting estimates; (5) uncorrected and corrected misstatements; (6) the qualitative aspects of the entity’s accounting practices; (7) significant difficulties during the audit; (8) auditor disagreements with management, whether or not satisfactorily resolved; and (9) any other findings and issues judged to be significant and relevant to those charged with governance. Under the Sarbanes-Oxley Act of 2002, a registered audit firm must communicate (1) critical accounting policies, (2) all alternative treatments of information within GAAP discussed with management, (3) the ramifications of using such treatments, and (4) the treatment preferred by the firm.
Each of the following statements is correct regarding the likely sources of potential misstatements in an integrated audit of a nonissuer except
The controls that management has implemented to address potential sources of misstatements should be identified.
An evaluation of the entity’s information technology risk and controls should be performed separately from the top-down approach.
An understanding of how transactions are initiated, authorized, processed, and recorded should be achieved.
Walkthroughs are frequently the most effective way of understanding sources of potential misstatements.
An evaluation of the entity’s information technology risk and controls should be performed separately from the top-down approach. The auditor begins an integrated audit at the statement level by understanding overall risks to internal control over financial reporting. (S)he then focuses on entity-level controls and works down to significant accounts, disclosures, and their relevant assertions. The following are examples of entity-level controls: (1) the control environment, (2) controls over management override, (3) monitoring of the results of operations, (4) controls over the period-end financial reporting process, (5) monitoring of other controls, and (6) the risk assessment process.
Which of the following matters is an auditor required to communicate to those charged with governance?
Graded
Changes in the auditor’s preliminary judgment about materiality that were caused by projecting the results of statistical sampling for tests of transactions.
Adjustments that were suggested by the auditor and recorded by management that have a significant effect on the entity’s financial reporting process.
The auditor’s consideration of risk factors in assessing the risk of material misstatement arising from the misappropriation of assets.
The results of the auditor’s analytical procedures performed in the review stage of the engagement that indicate significant variances from expected amounts.
Adjustments that were suggested by the auditor and recorded by management that have a significant effect on the entity’s financial reporting process. Certain matters should be communicated to those charged with governance (e.g., the audit committee) if all such individuals are not involved in management. These matters include material, corrected misstatements that were brought to the attention of management as a result of audit procedures (AU-C 260).
The Sarbanes-Oxley Act of 2002 (SOX) requires management of issuers to do all of the following except
Provide a statement that the board approves changes in internal control procedures.
Provide an identification of the framework used to evaluate the effectiveness of internal control.
Provide a report to include a statement of management’s responsibility for and assessment of internal control.
Establish and document internal control procedures and to include in their annual reports a report on the company’s internal control over financial reporting.
Provide a statement that the board approves changes in internal control procedures. SOX imposes many requirements on management, boards of directors, and auditors. Section 404 applies to internal controls and reports on them. Section 404 requires management to establish and document internal control procedures and to include in their annual reports a report on the entity’s internal control over financial reporting. The report is to include (1) a statement of management’s responsibility for internal control, (2) management’s assessment of the effectiveness of internal control as of the end of the most recent fiscal year, and (3) identification of the framework used to evaluate the effectiveness of internal control (such as the COSO report). Because of this requirement, PCAOB AS No. 5 states that audit opinions are to be expressed on the effectiveness of those controls and on the financial statements. Section 301 addresses activities of the board but does not require the board to approve changes in controls.
When reporting to the audit committee on conditions relating to an entity’s internal control observed during an audit of a nonissuer’s financial statements, the auditor should include a
Description of tests performed to search for significant deficiencies and material weaknesses.
Restriction on the use of the report.
Statement of positive assurance on internal control.
Recommendation to remediate the significant deficiencies and material weaknesses identified.
Restriction on the use of the report. The report is a by-product of the engagement. It is intended solely for the information and use of those charged with governance, management, and others within the organization (or specified regulatory agency) and is not intended to be and should not be used by anyone other than these specified parties (AU-C 905). But law or regulation may require the report to be given to governmental authorities. For issuers, the auditor must express an opinion on whether the client maintained, in all material respects, effective internal control over financial reporting. This report is not restricted as to use.
Which of the following is true regarding significant deficiencies and material weaknesses in control for a nonissuer?
They should be included in the financial statements.
Auditors should communicate them to management and those charged with governance.
They should be disclosed in notes to the financial statements.
Auditors should search for them.
Auditors should communicate them to management and those charged with governance. The auditor should report certain control deficiencies in internal control observed during an audit. The communication is expected to be to management and those charged with governance. The auditor should report in writing significant deficiencies and material weaknesses in the design or operation of internal controls. The communication also should include an explanation of the potential effects of each significant deficiency and material weakness and sufficient information about the context of the communication.
In identifying matters for communication with an entity’s audit committee, an auditor most likely would ask management whether
The turnover in the accounting department was unusually high.
It agreed with the auditor’s assessment of the risks of material misstatement.
It consulted with another CPA firm about accounting matters.
There were any subsequent events of which the auditor was unaware.
It consulted with another CPA firm about accounting matters. Unless all those charged with governance are managers, the auditor should communicate his or her views on significant accounting and auditing matters about which management consulted with other accountants (AU-C 260).
Payroll Data Co. (PDC) processes payroll transactions for a retailer. Cook, CPA, is engaged to issue a report on PDC’s internal controls implemented as of a specific date. These controls are relevant to the retailer’s internal control, so Cook’s report may be useful in providing the retailer’s independent auditor with information necessary to plan a financial statement audit. Cook’s report should
Contain a disclaimer of opinion on the operating effectiveness of PDC’s controls.
State whether PDC’s controls were suitably designed to achieve the retailer’s objectives.
Identify PDC’s controls relevant to specific financial statement assertions.
Disclose Cook’s assessed risks of material misstatement for PDC.
Contain a disclaimer of opinion on the operating effectiveness of PDC’s controls. Service auditors may report (1) on the fairness of management’s description of the controls and whether the controls have been implemented and are suitably designed (type 1 report) or (2) additionally on operating effectiveness (type 2 report). The type 1 report should include a disclaimer of opinion related to operating effectiveness of the controls.
