Risk Assessment Flashcards
Control Environment
The overall tone of the organization
Risk Assessment
Managements identification of risk
Information and Communications Systems
A mean of recording transactions and communicating resposibilities
Monitoring
Assessment of internal control performance over time
Existing Control Activities
Control Policies and procedures
Five Components of Internal Control
(C) Control Risk (R) Risk Assessment (I) Information and Commiunications (M) Monitoring (E) Existing Control Activities
“CRIME”
CPA is required to understand each element of “Crime” : as it relates to financial reporting
Information Technology Segregation of Duties
(C) - Control Team (O) - Operator (P) - Programmer (A) - Analyst (L) - Librarian
“COPAL”
Audit Process
- General Principles
- Engagement Acceptance
- Assess Risk & Plan Response
- Perform Procedures & Obtain Evidence
- Form Conclusions
- Reporting
Audit Planning
(N) - Nature (preliminary evaluation materiality, audit risk, internal control)
(E) - Extent (Scope of Audit, size and complexity, IT, prior experience)
(T) - Timing (deadlines, key dates,)
(C) - Completeness (account balances, trans, disclosure)
(O) - Cutoff (correct accounting period)
(V) - Valuation, Allocation, and Accuracy act. Balances (account balances, transactions)
(E) - Existence (Balance and trans exist)
(R) - Rights; Obligations
(U) - Understandability,Classification (disclosure is clearly expressed)
“COVER U”
Must be written and can be adjusted as time goes on.
Audit Evidence Hierarchy (Identifying Risk)
Remember your vowels!!! (A) - Auditors knows (E) - External Evidence (I) - Internal Evidence (O) - Oral Evidence (U) - Know it!
Audit Reporting (Private)
(M) - Management (R) Responsibility Paragraph
(D) - Design
(I) - Implementation
(M) - Maintenance
(R) Reports (E) Express (P) Plan (O) Obtain (R) Risk (T)Test "Internal Controls" (S) Statements
(C) Control (R) Reasonableness (A) Accounting (M) Management (E) Evaluating
“MR DIM REPORTS CRAME”
Is departure from US GAAP allowed if financial statements would be otherwise misleading?
Yes, departure from US GAAP is allowed if financial statements would be otherwise misleading.
Still issue unmodified/unqualified opinion.
Disclosure in the notes.
Professional Skepticism
is the recognition that circumstances may exist that cause the financial statements to be materially misstated.
Emphasis Of Matter Paragraph
- Going Concern
- Material justified change in accounting principal
- Material Misstatement in prior financial statements
- Special Purpose Framework
Special: Change in audit opinion could potentially be state in the emphasis of matters paragraph.
You can have a emphasis of matters paragraph with a un modified, modified, adverse, disclaimer
Other Matter Paragraph
- Restrict use of Report
- Prior financial statements audited by prior auditor has not been presented.
- Comparative financial statements where current year is audited but PP is not audited.
- Material inconsistency in other information
- Report of supplementary information within auditors report
- Refer to required Supplementary information
- report on compliance included in auditors report.
Special: Change in audit opinion could potentially be state in the emphasis of matters paragraph.
Explanatory Paragraph (Issuer/Public)
- Restrict use of Report
- Prior financial statements audited by prior auditor has not been presented.
- Comparative financial statements where current year is audited but PP is not audited.
- Material inconsistency in other information
- Report of supplementary information within auditors report
- Refer to required Supplementary information
- report on compliance included in auditors report.
Special: Change in audit opinion could potentially be state in the emphasis of matters paragraph.
Standard Audit Procedures to obtain evidence
(C) Confirmation
(F) Footing, Cross Footing, Recalculation “Valuation”
(“A Vowel” - Auditor Knows)
(I) Inquiry (“O Vowel” - Oral Evidence)
(V) Vouching (“I Vowel” - Internal Evidence)
(E) Examination/Inspection (“A Vowel” - Auditor Knows)
(C) Cutoff Review “No Back Dating” (“I Vowel” - Internal Evidence)
(A) Analytical Procedures (“A&I Vowel”)
(R) Reperformance (A Vowel)
(R) Reconciliation (I Vowel)
(O) Observation (A Vowel)
(T) Tracing “Expenses & Liabilities are not understated” (I Vowel)
(W) Walk-through (A&O Vowel)
(A) Audit Related Accounts simultaneously (I Vowel)
(R) Representation Letter (I Vowel)
(S) Subsequent Events Review (All Vowels)
1. Contingencies
2. Unrecorded Liabilities
3. Disclosures
“C FIVE CARROT WARS”
Remember the Facebook game Farmville.
Substantive Procedures
$$$$$ lets test the money
- Transactions Total
- Account Balances
- Disclosures
Vouching
Risk of overstatement -Revenue -Assets Testing for existence/occurrence "Moving Down"
Example: start vouching with the sales journal (financial statements) to invoice
Tracing
Risk of understatement -Expenses -Liabilities Testing for completeness/coverage "Moving Up"
Example: start tracing with the shipping doc to invoice to sales journal(financial statements) to audit sales
Sampling
Rule 1: Always assume that the population being sampled is normally distributed, that is, it can be described by a “normal” or “bell shaped curve” (Central limit theorem)
Rule 2: For the estimates that the CPA makes about the population to have mathematical validity, the samples have to be unrestricted and randomly selected, which means that:
- every item in a population must have an absolutely equal chance of being selected .
- The CPA cannot use “Bias” in deciding which items will be selected. No substitute items may be used. (Only area where CPA does not use judgement)
Rule 3: If the sample is large enough and is randomly selected, the sample will likely have the same statistical characteristics (mean and standard deviation) as the underlying population; that is, it will be representative of the population.
Rule 4: Standard deviation is a measure of “variability” which refers to the range of values within the population. (Sample Risk)
“Variability=Uncertainty=Larger sample size”
Does statistical sampling eliminate the need for auditing judgment?
No, Judgment is required to set many of the parameters and to evaluate the overall results.
Attribute Sampling
Most common in TESTING CONTROLS (Yes or NO MCQ)
Testing for specific characteristics (seeking errors) IC.
Variables Sampling
Estimating the dollar value of the population, substantive testing
Risk of incorrect acceptance (Beta Risk, sample results fail to identify an existing material misstatement)
Risk of incorrect rejection (Alpha Risk, lack of efficiency, sample results mistakenly indicate a material misstatement)
Sampling Risk
probability that sample is wrong
Non Sampling Risk
- use wrong audit procedures
- improperly evaluate evidence/results
Tolerable Deviation Rate
tolerable mistakes = risk of misstatement
Deviation Rate VS Tolerable Rate
The deviation rate in the sample is the auditors best estimate of the deviation rate in the population from which it was selected.
Select the Sample (Rule 2)
most common random election
systematic selection - same day every month
block (cluster) sampling - ok if has random start
Evaluate the Sample Results (Rule 3)
Sample deviation rate (+) Allowance for sampling risk = upper deviation rate.
Sampling Exam Trick
examiners sometimes try to trick candidates into using the sample deviation rate (instead of the upper deviation rate) in drawing conclusions about a population. Always consider worst case scenario.
Elements of CPA Firms Quality Controls - identified by Statement on Quality Control Standards (SQCS)
- leadership responsibilities for quality within the firm
- relevant ethical requirements
- acceptance and continuance of client relationships and specific engagements
- human resources
- engagement performance
- monitoring
Can a CPA firm disclose the names of its audit clients?
A CPA firm may disclose name of clients but the disclosure may not suggest that the client may be experiencing financial difficulties.
Control Environment
the foundation of a business is its people and the environment
Risk Assessment
organizations must set objectives to identify, analyze, and mange risk
Control Activities
Policies and procedures are needed to make sure control objectives are effectively carried out.
Information and communication
organizations should create and use information and communication systems to plan, conduct, manage, evaluate, and control their operations.
Monitoring Activities
information systems and internal control policies and procedures are monitored and modified as needed.
Fraud Risk
- Pressures to perpetrate fraud
- opportunities to carry out fraud
- rationalizations to justify a fraudulent action
Duty to Disclose
a. to comply with certain legal and regulatory requirements.
b. to a successor accountant management has given permission for communication between the predecessor accountant and the successor accountant
c. in response to a subpoena
Fraudulent Reporting
usually acts of management
- manipulation, falsification, or alteration of accounting records or supporting documents
- misrepresentation in, or intentional omission
- intentional misapplication of accounting principles
Misappropriation of Assets
usually acts of one or more individuals among management, employees, or third parties and may involve stealing assets or causing an entity to pay for something that has not been received.
-theft causes the financial statements not to be presented in conformity with GAAP
Fraud Risk - Incentive/Pressure
under pressure from sources or inside the entity
Fraud Risk - Opportunity
- allows a misrepresentation to occur
- deficiencies in internal control
- easy to steal assets
Fraud Risk - Attitudes/Rationalization
employee creates a mindset that justifies the misrepresentation
Addressing Letters & Reports
Engagement Letter - Can be a person
Auditors Report - Board of Directors
Raises concerns regarding managements philosophy
- Management consumed with meeting the budget
- Management dominated by one person
- Management compensation contingent upon the entities financial statements
Risk Assessment - Existing Control Activities
to have a strong system... (P) Prenumbering of Documents (A) Authorization of Transactions (I) Independent checks to maintain asset accountability (D) Documentation
(T) Timely and Appropriate Financial Performance Reviews
(I) Information Processing Controls
(P) Physical Controls for Safeguarding Assets
(S) Segregation of Duties
Risk Assessment - Segregation of duties
should not be combined….
(A) Authorization
(R) Record keeping
(C) Custody of related assets
The Auditor would favor interim testing if
- the assessed risk of material misstatement is low
- the controls are strong
- the auditor can reduce the risk that misstatements that exist at the period-end are not detected by performing appropriate procedures, and
- GAAS does not require testing at the balance sheet
Internal Controls (Sales)
- Preparation of the Sales Order “Serially Numbered”
- Credit Approval “approved”
- Shipment “serially numbered bill of laden”
- Billing “serially numbered sales invoice”
- Accounting
Billing and Accounting can be consolidated!
Match order
- Shipping
- Order
- Invoice
Internal Controls (AR)
- Sales
- Collection of Cash Receipts
- Uncollectible Receivables
- Sales Returns “serially numbered”
- Sales Discounts
Internal Controls (Cash Receipts)
- Cashier - actually receive receipts and makes deposits
- Accounts Receivable Department- enters receipts into the accounts receivable subsidiary records.
- Account Department- accounts receivable control account.
3 copies of receipts should be listed in detail.
lock boxes should be used as safeguards.
Pass Key (Revenue Cycle)
existence is generally a more relevant assertion than completeness when auditing the revenue cycle. The risk that accounts receivable and sales will be overstated is high, while the risk that accounts receivable and sales will be understated is low.
Internal Controls (Purchases)
- Purchase Requisition
- Purchase Orders
- Receipt of Goods or Service “Blind Copy”
“Properly Approved”
Internal Controls (Accounts Payable)
- Recording Payables
- Approving Invoice for Payment and Recording Payment
Match order
- Receiving report
- PO
- Invoice
Internal Controls (Cash Disbursements)
approving payment and signing a check should be separated duties.
Pass Key (Expenditure Cycle)
for AP, the completeness and accuracy assertions are generally more relevant than the existence and right and obligations assertions, because the risk of understatement is greater than the risk of overstatement.
Lapping
Today’s cash receipts cover yesterday’s theft
How to prevent?
Independent comparison of recorded cash receipts with funds actually deposited.
Kitting
Cash recorded in two places at once.
How to prevent?
look at a bank transfer situation
Internal Controls (Inventory)
- Purchasing
- Receiving
- Warehouse
- Shipping
Perpetual Inventory - if inventory counting is done at a date other than the date of the financial statements, the auditor should obtain evidence about whether changes in inventory + evidence for “gap” period.
auditor should observe inventory count if inventory is significant.
Significant?
Yes- Observe
No-Confirmation
Pass Key (Inventory Cycle)
inventory observation implies the auditor watches the client count the inventory.
Audit Documentation
- the amount below which misstatements would be regarded as clearly trivial
- all misstatements accumulated in audit and if they have been corrected.
- auditors conclusion about whether uncorrected misstatements are material, individually or in aggregate.
Reasonableness of an Estimate
- significant to the accounting estimate
- sensitive to variations
- deviations from historical patterns
- subject and susceptible to misstatement and bias
Auditor Permanent file should include……
items that remain relatively unchanged from year to year.
Example: capital stock and other owner’s equity accounts
Disagreements with Management and auditor
auditor need to communicate any disagreements that could be significant to the FS or auditor report.
Disagreements based on preliminary or incomplete information that were later resolved do not need to be disclosed.
Internal Controls (Investment Cycle)
- Authorization of Purchase of Sale of Investments
- Custody of investments
- Record Keeping
Internal Controls (Investment Transactions)
- Completeness
- Cutoff
- Valuation, Allocation, and accuracy
- Existence and Occurrence
- Understandability and Classification
Derivatives
Hedging Activities
- The derivative was designated as a hedge at its inception by management
- Management has documents the hedging relationship, risk management objective, and strategy and is periodically assessing its effectiveness.
Internal Controls (PP&E)
- Acquisition
- Subsidiary Ledgers
- Physical Security
- Written Polices
- Disposition “Sequentially Numbered”
Internal Controls (Payroll)
- Authorization to Employ and Pay
- Supervision
- Timekeeping and Cost Accounting
- Payroll Check Preparation
- Check Distribution
Segregation of duties
Observe payroll distribution
IT
Test to ensure that only employees existing in the computer data.
Pass Key (Payroll Cycle)
- payroll department is a record-keeping department
Internal Controls (Financing)
- adequate documentation of all financing agreements
- Authorization of new debt financing by the board of directors or management.
- Detail Records
Internal Controls (Equity)
- officer will be responsible.
2. Periodic independent reconciliation
GAO Standards
- Self Interest - financial or other interest
- Self Review - not properly evaluate
- Bias - promote a position
- Familiarity - close relationship
- Undue Influence
- Management Participation
- Structural threats
Client decides not to make an auditors proposed adjustments that COLLECTIVELY are NOT MATERIAL
the auditor can issue a standard report with a unmodified opinion
Agreed- Upon Procedures
no auditors report or opinion
list procedures performed in the attestation report
Predecessor Auditor had a qualified opinion and client will not present
managements responsibility paragraph of the successor report is changed to include a statement that the prior years statements were audited by another auditor, the date of the auditors report, the opinion issued, and an explanation if the opinion was other that unmodified.
Incorrect Acceptance of a Sample
sample shows not material misstated but in fact is material misstated
GOOD THING! WHAT WE WANT!
Incorrect Rejection of a Sample
sample shows materially misstated but in fact is non material misstated.
BAD THING! WHAT WE DONT WANT!
Risk of Assessing Control Risk Too Low
sample results indicate a lower deviation rate than actually exists in the population
Risk of Assessing Control Risk Too High
sample results indicate a higher deviation rate than actually exists in the population
Upper Deviation Rate
Sample Deviation Rate(auditor best estimate) + Allowance for sampling risk.
Matters That Require Special Consideration
Auditors Responsibility
- Material Misstatements
- Consistently applied or changed correctly
Agreed Upon Procedures - IAMSURE
(I) Independence
(A) Agreement of the Parties
(M) Measurability and Consistency
(S) Sufficiency of the Procedures - specified parties take responsibility
(U) Use of the Report Is Restricted to the Specified Parties
(R) Responsibility for the Subject Matter
(E) Engagements to Perform Agreed-Upon Procedures on Prospective Financial Statements.
Prospective Financial statements
Partially expired
Completely & Pro forma & Partial Presentation expired ARE NOT considered prospective
Prospective Financial statements
General Use - Forecast
Limited Use - Forecast & Financial Projection
Preparation of Prospective Financial Statements
practioner should not prepare
excludes the summary of significant assumptions
Compilation
- proper assembling of the financial data based on the responsible party assumptions
- no assurance
- read the prospective FS with the summaries of significant assumptions and accounting policies and consider whether they appear to be presented in conformity with AICPA
- beware of obvious inappropriate assumptions used to construct the statements.
Content of Compilation Report
- Identification entity
- prospective financial information
- date or period covered
- management is responsible
- performed the compilation engagement in accordance with SSARS
- does not express an opinion, a conclusion, nor provide any assurance
- prospective results may not be achieved
- signature, date, city and state
- FOLLOWS SSARS
Examination
- statements are presented in conformity with AICPA and underlying assumptions provide a reasonable basis for the prospective statements
- Independence required
- Evidence required
Report: independent, signature, city and state, and date
Identification of the prospective financial statements
criteria against
FOLLOWS AICPA
Pro Forma Financial Statements
demonstrate the effect of a future or hypothetical event by showing how it might have affected the historical financial statements if it had occurred during the period covered by those financial statements.
- based on managements assumptions
- directly attributable to the transactions
- labeled accordingly
- may be examined or reviewed
- understanding of the event and evaluate the pro forma adjustments, including any assumptions on which the adjustments are based.
- make reference to the FS from which the historical info is derived and state whether such financial statements were audited or reviewed.
CHECK THE MATH
successor auditor ask the predecessor auditor….
management integrity
disagreements with management
change of auditors
communication if regards to fraud
written communication regarding significant deficiencies
- statement “express an opinion on the financial statements, but not effectiveness over controls”
- “not designed to identify all deficiencies
- define material weakness, where relevant, term of significant deficiency
- identify significant deficiencies and mm weakness
- intended solely for management
reasonableness of an estimate
- significant accounting estimate
- sensitive to variations
- devotions from historical
- subject and susceptible to misstatement and bias
Perfect opportunity for a fraud in a operating style
- Management consumed with meeting the budget = Pressure
- Management dominated by one person - opportunity
- Management compensation contingent upon the entity’s financial performance.
