Planning Flashcards
When should a client preferably appoint an independent auditor?
Well before year-end, to give him time to analyze everything
Otherwise, it might cause him to give a lesser opinion
What are some examples of management’s responsibilities as mentioned in an engagement letter?
- financials and accounting policies
- protection from fraud
- internal controls
- making financial info available to auditor
- correcting material misstatements
As mentioned in the engagement letter, what is one important thing an audit is not designed to do?
Search for significant deficiencies in internal control (although the auditor should report any that he finds)
What is optional to be included in an engagement letter?
Audit strategies, fees, additional services to be provided, etc.
What planning procedures should be done at the beginning of the engagement?
- procedures for continuing the client relationship and for the particular engagement
- analyzing the client’s compliance with ethical rules
What are some important things to consider for an overall audit strategy?
- factors that determine scope (e.g. basis of accounting, industry)
- deadlines
- factors that determine focus (e.g. areas with higher RMM)
What does the auditor develop after specifying an audit strategy (i.e. auditing objectives)?
An audit plan (i.e. audit programs)
Plan and strategy can overlap and can change one another
What is the purpose of an audit plan?
To map out audit procedures designed to reduce audit risk
What procedures should be included in an audit plan?
Risk assessment procedures (determine RMM)
Further procedures following from these, including tests of controls and substantive procedures
What should the auditor consider regarding involving a specialist?
Whether:
- it is necessary (especially for IT specialists)
- he will officially be part of the audit team
What is the auditor required to do when supervising assistants?
Communicate with them about objectives, questions, MM, etc.
Review their work
Resolve disagreements
When is a misstatement considered material?
If it would affect the judgment of a reasonable person relying on the financials
Factors can be quantitative or qualitative
What are the two types of misstatements?
Known - actually found during the audit
Likely - based on an extrapolation of audit evidence (but also includes info based on accounting estimates the auditor deems unreasonable)
What are the causes of misstatements?
Errors or fraud
Auditor should report fraud even if immaterial
What are two kinds of fraud?
Fraudulent financial reporting
Misappropriation of assets (theft)
What are two financial-statement-level considerations an auditor should make in determining audit risk and materiality level?
Pervasive risks (not strictly identifiable with particular assertions)
Whether to perform audit procedures at different locations
What is the relationship between audit risk and materiality at the individual account level?
Inverse
E.g., risk of large misstatement is generally lower
What would generally be required to reduce audit risk?
- more effective auditing procedure
- greater extent of procedure
- perform procedure closer to year-end
These are: nature, extent, and timing
Should auditors have procedures to detect qualitatively material misstatements?
No, as it is impractical
What are the two components of RMM?
Inherent Risk (IR) and Control Risk (CR)
What is inherent risk?
Vulnerability of an assertion to misstatement by its nature, or irrespective of controls
E.g. cash can be stolen, complex calculations and difficult estimates can be wrong
What is control risk?
Vulnerability of an assertion to misstatement due to a control not preventing it
What is detection risk (DR)?
Risk that the auditor will not detect a material misstatement that exists
Relates to substantive procedures
What are the two components of detection risk (DR)?
- Tests of Details (TD) Risk
- Analytical Procedures (AP) Risk
These are the risks when doing the two different kinds of substantive tests
What is the “formula” for audit risk (AR)?
AR = RMM x DR
or
AR = IR x CR x DR
DR = TD x AP
These are all judgments, not strict mathematical formulas
How is detection risk (DR) related to the RMM?
They are inversely related
E.g. if RMM is high, and the auditor wants a given audit risk (AR), then he should decrease DR by planning more auditing
What is the main difference between RMM and DR?
RMM is the risk within the company itself, which the auditor analyzes but cannot change
DR is the risk within the audit procedures, so the auditor can control it
How does the amount of substantive testing relate to DR?
Inversely
E.g. if the auditor decreases the level of acceptable DR, then more substantive testing is required
When should an auditor perform substantive procedures for all relevant assertions?
Always, regardless of the level of DR desired
How are benchmarks used in assessing materiality?
Auditor can pick out a measure suitable for the client, and use a % as a reference – though not a strict rule
E.g. net assets for an investment company, or total revenues, or gross profit
How might the auditor determine the percentage of a benchmark for materiality?
- prior period numbers
- period-to-date numbers
- budgets or forecasts
What is a tolerable misstatement?
The maximum amount of permissible misstatement for a given account or transaction-group
Usually set lower than the materiality level, in order to prevent an aggregate material misstatement for the whole financials
What should the auditor do if discovered misstatements in aggregate are near the materiality level?
He should determine the risk that undetected misstatements could cause the aggregate to exceed the materiality level
What must an auditor do if he discovers material misstatements?
Speak of them to management and TCWG
What should an auditor request of management if he discovers a likely misstatement?
Depending on the type of likely misstatement, he should request mgmt:
- to analyze the whole population and make additional corrections
- to re-analyze assumptions for estimates
- to determine the amount of a misstatement that is likely to exist
What should an auditor look for when analyzing individual misstatements?
- whether misstatements might offset each other
- whether prior-period misstatements might have been immaterial but have a material effect
What are some factors involved in the qualitative evaluation of misstatements?
- changing a loss into income
- effect of misstatement on compensation or bonus
- effect on loan covenant arrangement
- legal requirements
- implications of fraud
- relevance to user needs
What are inquiries?
Risk assessment procedures that involve requesting info from management and others
What are analytics?
A risk assessment procedure that assesses ratios and other relationships
Ratios/relationships should be predicted first, so that deviant numbers are easier to identify
What are other risk assessment procedures besides inquiries and analytics?
Observation and inspection
Prior period info
Fraud risk
What are the different areas about the entity and its environment that the auditor should understand?
(1) Industry, regulatory, and external factors
(2) Nature of entity (e.g. governance, structure, financing, subsidiaries)
(3) Strategies and business risks (i.e. how the entity responds to external factors)
(4) Financial performance (esp. pressure on mgmt)
(5) Internal control
What should the auditor document regarding the discussion of RMM in the financials?
- how and when the discussion occurred
- what was discussed
- who discussed it
- what was decided in response
- sources of info
- procedures performed
What is the difference between a user organization and a service organization?
If an entity uses another organization to process transactions, the former is the user org. and the latter the service org.
Guidance for auditing these entities is in AU 324
How independent should a service auditor be?
Should be independent of service organization, but not necessarily of users
For a service audit, how are the type of engagement and type of report determined?
Determined by the service organization
What are the two different kinds of reports that can be prepared by a service auditor?
Report on Controls Placed in Operation - determines whether controls are properly designed and implemented as of a given date
Reports on Controls Placed in Operation and Tests of Operating Effectiveness - like the above, but also tests whether controls provide reasonable assurance of effectiveness
When are a service organization’s services considered part of the user’s information system?
If they affect:
- how transactions begin or are processed
- accounting records
- how financial statements are prepared
How should the user auditor utilize the service auditor’s report on the service organization?
He should consider the service auditor’s reputation and the report’s quality and request additional procedures if necessary
The user auditor should not reference the service auditor’s report in his own opinion on the user’s financials
Do auditors make legal determinations of whether fraud has occurred?
No, they are concerned foremost with material misstatement
What is a primary area of concern for detecting fraudulent financial reporting?
Revenue – can be overstated or understated
What is another term for misappropriation of assets (i.e. theft)?
Defalcation
What are the three conditions conducive to fraud?
Incentive (pressure)
Opportunity
Attitude (rationalization)
How should an auditor respond to a significant RMM for fraud?
Assign skilled personnel
Look closely at accounting principles and estimates selected by mgmt
Have some unpredictability in auditing procedures
What are some further audit procedures that address possible fraud through management’s override of controls?
Examining journal entries, accounting estimates, and unusual transactions
Is the auditor ordinarily allowed to disclose possible fraud to outside parties?
No, as client confidentiality forbids it
But there are exceptions (e.g. if legally required, successor auditor, subpoena)
How does the RMM affect the timing of audit procedures?
Generally, for a higher risk, procedures should be performed nearer to period-end
Unpredictability helps too
What does not count as an illegal act for auditing purposes?
Illegal activities done by personnel unrelated to the business’s activities
What is the auditor’s main responsibility concerning illegal acts?
To discover the direct and material effect of illegal acts on the financials (same as for fraud)
Illegal acts with indirect effects are less important
How might illegal acts have an indirect effect on financial statements?
Usually, if there is some violation of a regulation of the entity’s operations (e.g. OSHA, FDA), then the effect is indirect
Indirect effects are usually contingent liabilities because of some penalty
Does a GAAS audit typically include procedures designed to discover illegal acts?
No
They do not provide any assurance that illegal acts or their contingent liabilities will be discovered
What should the auditor do if he discovers an illegal act with a material effect on the financial statements, but the client has not accounted for it properly?
Express either a qualified or adverse opinion
What 1995 legislation affects audits?
Private Securities Litigation Reform Act of 1995
Requires auditors to plan procedures that:
- detect illegal acts with a direct and material effect
- identify related-party transactions with a material effect
- discern an issuer’s ability to be a going concern
What does the Private Securities Litigation Reform Act of 1995 require entities to do if an auditor notifies them of illegal activity?
Report it to the SEC within one business day
If not, then the auditor should do so and/or withdraw
What 1977 legislation affects audits?
Foreign Corrupt Practices Act of 1977 (FCPA)
Forbids U.S. persons and foreign persons operating in the U.S. (and companies) from bribing foreign gov’ts
Who is generally included in “those charged with governance” (TCWG)?
Board of directors and audit committee
What should the auditor communicate to TCWG?
- Opinion
- Responsibilities of TCWG
- Issues related to independence
- Overview of audit
- Significant discoveries
- Discussions with management
How should the auditor document communications with TCWG?
If in writing, he should retain them as such
If orally, he should document them
