AUDIT 3.txt

  1. Responsibilities of the audit committee
    Responsible for selection and appointment of the independent external auditor, and for reviewing the nature and scope of the engagement. Should pre-approve all services provided by the auditor
  2. Things to consider when accepting a client/engagement
    • - Firm's ability to meet reporting deadlines (impacted by timing/complexity)
    • - Firm's ability to staff the engagement
    • - Independence
    • - Integrity of client management
  3. How to assess the auditability of the client
    • - Availability and adequacy of accounting records (lack of records = scope limitation)
    • - Management's attitude towards internal control environment (risk may be too high)
  4. In a new client, what is mandatory before accepting the engagement?
    • Making inquiries of the predecessor auditor, with the client's permission about:
    • - Info that might bear on mgmt integrity
    • - Disagreements with management
    • - Predecessor's understanding as to reason for change of auditors
    • - Communication to mgmt, audit committee and those charged w/ governance regarding fraud, illegal acts by client, and matters relating to internal control
  5. What should an auditor do with the predecessor auditor after accepting the engagement?
    • - Make specific inquiries of the predecessor
    • - Review the predecessors audit documentation (workpaper -> evidence)
    • - If successor finds problems with predecessor, should arrange a meeting to resolve the matter
  6. Contents of the engagement letter
    • - Objectives of the engagement
    • - Management's responsibilities
    • - Auditor's responsibilities
    • - Limitations of engagement
    • - Other matters (conduct of engagement)
  7. Management's responsibilities in an engagement
    • - Entity's F/S, selection/application of acct policies
    • - Internal control
    • - Compliance with laws
    • - Make all financial records available to auditor
    • - Provide auditor w/ mgmt's representation
    • - Correct identified material misstatements
    • - Affirm that uncorrected misstatements are immaterial in F/S
    • Auditor's responsibilities in an engagement
  8. Conduct audit in accordance with GAAS (reasonable assurance, and understanding of entity including I/C)
    • Limitations of an engagement
    • - Material misstatement may go undetected
    • - Audit's designed to detect only material errors (not immaterial)
    • - Audit's not designed to provide assurance on internal controls or identify significant deficiencies, but if discovered then need to report to audit committee
  9. International standards on auditing about when term of engagement is changed
    ISA210 states auditor and client should agree on new terms, and if auditor can't agree then should withdraw and consider whether there's any obligation to report to other parties
  10. Obtaining understanding of client's business/accounting/industry
    • - Read about client's industry
    • - Gain knowledge of client's business (tour facilities, review financial history)
    • - Obtain understanding of accounting methods
    • - Inquire of client personnel
  11. What's involved in developing the audit strategy
    • - Overall strategy helps auditor determine resources needed to complete audit. Includes:
    • - Scope, reporting objects, audit timing, require communications
    • - Factors that determine focus (preliminary evaluations and areas of higher risk of mm)
    • - Materiality and tolerable misstatement
  12. What is materiality and tolerable misstatement?
    • - Materiality - consider quantitative & qualitative judgement, influenced by needs of user
    • - Use professional judgement and smallest level of misstatement that could be material
    • - Preliminary assessment should be revised as audit progresses
    • - One or more levels of tolerable misstatement should be determined
  13. What is an audit plan?
    Required documentation that's based on the audit strategy and outlines nature, extent and timing of procedures to be performed. Should list audit procedures believed necessary, in detail (with NET) and reference to assertion under consideration
  14. Audit procedures performed
    • - Risk assessment procedures
    • - Further audit procedures (tests of controls and substantive procedures)
    • - Other procedures (e.g. letter to client's attorney)
    • - Timing of audit procedures
  15. Financial statement assertions (which audit procedures are done on)
    • C - completeness (that nothing's missing)
    • O - cut-Off (proper period)
    • V - valuation, allocation and accuracy (recorded fairly)
    • E - existence and occurence
    • R - rights and obligations (account balances/disclosures of assets/liabilities)
    • U - understandability and classification (disclosures)
  16. Relevant assertions and the 3 types
    • - Assertions with meaningful bearing on whether sometihng's fairly stated
    • - Transactions and events (completeness, cutoff, accuracy, classification, occurrence)
    • - Account balances (completeness, allocation and valuation, rights and obligations, existence)
    • - Presentation and disclosure (completeness, understandability and classification, rights and obligations, and valuation and accuracy)
  17. Role of client's internal auditors
    • - Shouldn't have responsibility for audit decisions/judgements/assessments, nor for issuing report
    • - Can provide useful information to auditor in understanding IC, assessing risk, and performing substantive tests
    • - Also can provide direct assistance to CPA
  18. Roles and responsibilities of external auditor (in regards to internal auditors)
    • - Obtain and understanding of internal audit function (part of monitoring internal control)
    • - Assess competence and objectivity (if using work of internal auditor)
    • - Supervise and review
    • - Bear responsibility (ultimate responsibility is to external auditor)
  19. ISA requirement on external auditors using internal auditors work
    External should evaluate and test work (US says test some of work related to significant assertions), through examining what internal auditor examined or similar ones
  20. Using the work of a specialist
    • - May be engaged whenever auditor deems necessary, but auditor must understand nature of work and evaluate their findings for suitability in corroborating F/S amounts
    • - Auditor should be satisfied to professional competence and repurtation of specialist (treat as own staff)
    • - Any unresolved disagreements/findings -> qualified opinion or disclaimer of opinion (scope limitation)
    • - Shouldn't reference specialist if standard unqualified, but reference if departure
  21. What is audit risk?
    Audit risk is the risk that the auditor may issue unqualified opinion on a bad F/S. Should reduce audit risk to a low level, and is because auditor can only obtain reasonable (not absolute) assurance
  22. What is material misstatement?
    Omissions or misstatement of accounting information that makes it probable the judgement of a reasonable person would be changed by it. Can result from errors or fraud, and consist of known misstatements (specific identified ones) adn likely misstatements (likely to exist due to differences between auditors and mgmt judgment)
  23. The audit risk model
    Equals RMM (assessed by auditor, exists independently of audit) x DR (controlled by auditor)
  24. What does RMM consist of? (Risk of material misstatement)
    • Inherent risk - that the client's accounting system has errors
    • Control risk - client's internal control doesn't catch the errors
  25. RMM affects how much work we must do
    • What does DR consist of? (Detection risk)
    • That auditor will miss this mistake/error. Auditor can/will revise "NET" to change DR risk based on RMM. Some amount always exist.
  26. Considerations of audit risk and materiality
    • - Considered at F/S level (risks that have pervasive effect on F/S to many assertions, often relates to control. Relates to designing further audit procedures and response to it)
    • - Considerations at account balance, transaction class or disclosure item level (determine 'NET' of audit procedures, and there's an inverse relationship between audit risk and materiality)
    • - Affected by size/complexity, auditor experience and knowledge of entity
    • Substantive tests
    • - Will always be necessary for all relevant assertions related to material transaction classes, account balances and disclosures
    • - Is inversely related to the acceptable level of detection risk
  27. Types of fraud
    • - Fraudulent financial reporting (lying) in intentional misstatements or omissions from F/S to deceive users
    • - Misappropriation of assets (stealing)
    • - Corruption (cheating)
  28. Fraud risk factor conditions
    • - Incentives/pressures - a reason to commit fraud
    • - Opportunity - lack of effective controls
    • - Rationalization/attitude - attempt to justify fraudulent behavior
  29. Types of incentives/pressures for fraudulent financial reporting
    • - Threatened financial stability or profitability
    • - Excessive pressure for management to meet third party expectations
    • - Threats to management or board of director's personal financial situation based on entity's financial performance
    • - Excessive pressure on mgmt or operating personnel to meet financial targets
  30. Types of opportunities for fraudulent financial reporting
    • - Nature of industry or entity's operations
    • - Ineffective monitoring of management
    • - Complex or unstable organizational structure
    • - Deficiencies in internal control
  31. Reasonable assurance in consideration of fraud during an audit
    Even a properly planned and executed audit may fail to detect fraud since those engaged in fraud will generall try to conceal it, so should just try to limit audit risk to a low level
  32. Management's responsibilities vs. auditor's responsibilities in consideration of fraud during an audit
    • - Management's responsibility to design and implement programs and controls to prevent, deter and detect fraud
    • - Auditor's responsibility is to design a plan and perform the audit to obtain reasonable assurance about whether the F/S are free of material misstatement either from error or fraud (should assess RMM from fraud)
  33. ISA requirement of assessment of fraud risk
    Auditor should obtain written representation from management that it has disclosed to the auditor the results of its assessment of the risk that the F/S may be materially misstated as a result of fraud
  34. Some auditor requirements in detecting fraud
    • - Professional skepticism (can occur regardless of past experience/thoughts of mgmt's integrity, and shouldn't dismiss any info as a fluke)
    • - Discussion among personnel should include consideration of risk of mgmt override of controls and other potential MM due to fraud
  35. Auditor requirements in obtaining information to identify potential fraud risks
    • - Inquire of entity personnel (in-house) of anything regarding fraud and inconsistent responses indicate need for additional evidence
    • - Consider results of analytical procedures (during planning stage and final review stage)
    • - Evaluate fraud risk factors (POR, and use professional judgement to determine if they're there) - absence doesn't mean there's no fraud
  36. Factors of identifying risks of fraud
    • - Attributes to consider when analyzing risk (type, significance, likelihood, and pervasiveness)
    • - Presumption of risk (improper revenue recognition and mgmt override of controls)
    • - Size/complexity/ownership characteristics of entity and management
    • - Susceptibility of items to manipulation (when management judgement is involved or very complex accounting principles)
    • - After identifying, evaluate risks with effects to entity's programs/controls
  37. Required responses to assessed fraud risk
    • - Overall, general response (assigning personnel, determining level of supervision, evaluating management, mixing procedures up)
    • - Response encompassing specific audit procedures (nature/extent/timing)
    • - Response addressing risks related to management override (examine J/E, review acct estimates, evaluate purposes of unusual transactions)
  38. Types of identified risks to respond to in terms of fraud
    • - Revenue recognition (confirm contracts, analytical procedures of data, etc.)
    • - Inventory quantities
    • - Management estimates (use specialist or have independent estimate, compare to last years)
  39. Sources to evaluate audit evidence in assessing fraud risk
    • - Conditions identified during fieldwork (discrepancies in accounting records, conflicting/missing evidential matter, problematic relationships between auditor/management)
    • - Analytical procedures (required during planning stage and final review stage)
    • - Misstatements due to fraud (should withdraw of management's integrity, and reevaluate assessments and procedures)
    • - Final evaluation (might need to perform additional procedures)
  40. Communications in indications of fraud to management and those charged with governance
    • - Fraud causing material misstatement -> senior management and charged with governance
    • - Fraud involving senior management -> those charged with governance
    • - Significant deficiencies or weaknesses in internal control -> senior management and charged with governance
    • - Other -> charged with governance
  41. Documentation requirements for auditor's risk assessment of fraud
    • - Planning discussion, procedures performed, specific identified risks, results of procedures, other relationships
    • - If auditor hasn't identified improper revenue recognition as a fraud risk, support for conclusion (WHY?)
  42. Illegal acts by clients
    • - Auditor's responsibility is to detect direct effect illegal acts, but no obligation of indirect effect illegal acts (may be discovered)
    • - Possible illegal acts should be investigated into, and detected illegal acts should be communicated
    • - Effects should be considered in auditor's report and evaluation of internal control
  43. Steps to assessing the risk of material misstatement
    • I - internal control, entity and environment (obtain an understanding)
    • M - material misstatement - assess the risk
    • A - assessed level of risk response
    • C - control testing
    • P - perform substantive testing
    • A - audit evidence - evaluate appropriateness and sufficiency
  44. Risk assessment procedures to conduct to obtain and understanding of entity/environment, including internal control
    • - Inquiries
    • - Analytical procedures (planning/final review, and required GAAS analytical procedures performed during planning to review data (financial/non-financial) and understand entity and identify unusual items)
    • - Observation and inspection
    • - Risk assessment discussion with audit team
    • - Other procedures (reviewing external info, prior period evidence, etc)
  45. Factors to understand in an entity
    • - Industry, regulatory, and other external factors
    • - Nature of the entity
    • - Objectives, strategies, and business risks (latter results from events/circumstances that could adversely affect entity's ability to achieve it's objectives/executive strategies)
    • - Entity's financial performance
    • - Internal control, including selection/application of accounting policies
    • Analytical procedures performed during planning an audit
    • - Review of data aggregated at a high level, such as comparing F/S to budgeted or anticipated results
    • - Generally, financial data is used although non-financial (# of employees, square footage of selling space, volume of goods produced) may also be considered
    • - Objectives of these procedures is to enhance auditor's understanding of entity and transactions/events that have occurred since last audit date, and identify unusual transactions/events, amounts, ratios, trends, etc that might be significant to F/S or represent relevant risks
  46. Main objectives of an entity
    • - Reliability of financial reporting
    • - Effectiveness and efficiency of operations
    • - Compliance with applicable laws and regulations
  47. Five components of internal control
    • C - control environment (overall tone of organization)
    • R - risk assessment (management's identification of risk)
    • I - information and communication systems (means of recording transactions and communicating responsibilities)
    • M - monitoring (assessment of internal control performance over time)
    • E - existing control activities (control policies and procedures)
  48. Factors of control environment
    • - Communication and enforcement of integrity and ethical values of the people who're in charge of internal controls
    • - Commitment to competence
    • - Participation of those charged with governance
    • - Management's philosophy and operating style
    • - Organizational structure
    • - Assignment of authority, responsibility and accountability
    • - Human resource policies and practices
  49. Risk assessment by management for internal control
    • - Entity's identification and analysis of risks to achievement of its objectives (which auditor should obtain understanding of)
    • - Includes business risks and accounting risks arising from circumstances or events
    • - Management may take action or decide to accept risk
  50. Information and communication systems in internal control
    • - Support identification, capture, and exchange of information in a timely and useful manner.
    • - The procedures (automated and manual) and records to initiate, process, authorize, record and report transactions, events and conditions
  51. Auditor should obtain an understanding of, in an accounting information system
    • - Accounting processing from initiation to inclusion in F/S
    • - Accounting records (electronic and manual) supporting info, and specific accounts involved in initiating, authorizing, recording, processing and reporting transactions
    • - The financial reporting process, including the development of significant accounting estimates and the inclusion of appropriate disclosures
    • Monitoring in an internal control system
    • - Process that assesses the quality of internal control performance over time by assessing design/operation of controls and taking necessary corrective actions
    • - Establishing and maintaining internal control is a responsibility of management
  52. Existing internal control activities
    • P - prenumbering of documents (ensure completeness and existence)
    • A - authorization of transactions (signed approval)
    • I - independent checks to maintain asset accountability (verification of work by others)
    • D - documentation (paper trail)
    • T - timely and appropriate performance reviews (analytical procedures comparing performances)
    • I - information processing controls (application controls and general controls to ensure valid and accurate transactions)
    • P - physical controls for safeguarding assets (security)
    • S - segregation of duties (separate authority/recording/custody "ARC")
  53. Identifying controls relevant to reliable financial reporting
    • - Not necessary to assess all, but use judgement to determine which ones
    • - Preventative controls vs. detective controls
  54. Evaluating the design and implementation of relevant internal controls
    • - Evaluate design, implementation and procedures (used to obtain evidence about design/implementation through inquiry, observation, inspection, observation of premises, and walkthroughs)
    • - Assess the risk of material misstatement by ID'ing the different types
    • - Design the 'NET' of further audit procedures
  55. Walkthroughs
    • - Trace transactions from inception through recording to confirm auditor's understanding and evaluate design
    • - Done through single transaction or identifying key steps in processing of a class of transactions
    • - Involve inquiry and additional procedures (observing individuals, re-performance, inspecting records, corroborating inquiry responses with others)
  56. Documenting understanding of internal control
    • F - flowcharts (system flowcharts and program flowcharts)
    • I - internal control questionnaires (yes/no/explanations, used for each assertion of mgmt ('COVERU'))
    • N - narratives (hard to "see", use for less complex)
    • D - documentation from client
  57. Effect of IT on internal control
    IT exception - IT system may make it impossible to reduce detection risk thru substantive testing alone, so must do control testing as well
  58. Manual vs. automated controls
    • - Manual controls are performed by people when needing judgement and discretion for large/unusual/difficult/nonrecurring/changing transactions, and are also used to monitor automated controls (but pose additional risk of human error or being ignored/overriden)
    • - Automated controls are performed by IT and are good for high volume/recurring transactions and control activities that can be adequately designed and automated
    • General vs. application controls
    • - General controls related to many applications and support effective functioning and proper operation of the information system
    • - Application controls apply to processing of individual transactions and help ensure they occurred, authorized, are accurate (e.g. controls over input, processing, and output)
  59. IT benefits
    • - Ability to process large volumes of transactions and data accurately and consistently
    • - Improved timeliness and availability of information
    • - Facilitation of data analysis
    • - Reduction in the risk that controls will be circumvented
    • - Enhanced segregation of duties through effective implementation of security controls
    • - Enhanced ability to monitor performance of entity's activities and its policies and procedures
  60. IT risks
    • - Potential reliance on inaccurate systems (garbage in/garbage out)
    • - Unauthorized access to data, which may result in loss/inaccuracies
    • - Unauthorizated changes
    • - Failure to make required changes or updates
    • - Inappropriate manual intervention
    • - Potential loss of data
    • **Auditor should document program use and perform tests more often during year
  61. Inherent limitations of internal control
    • - Management override of internal control
    • - Human error (in design or use)
    • - Deliberate circumvention of controls by collusion of two or more people
    • - Segregation of duties may be difficult to achieve in a smaller entity (separate control group, operators, programmers, analysts, librarian)
  62. Effect of service organizations on internal control
    • Service organization services are considered to be a part of a user's entity's information system when those services affect the initiation, execution, processing
    • or reporting of the user company's transactions
  63. Types of service auditor reports (attestation exam to report on their controls that are relevant to user entities' internal control over financial reporting)
    • - Type 1 report: report on management's description of the service organization's system and the suitability of the design of controls (doesn't provide user/CPA with a basis for reducing the assessment of control risk)
    • - Type 2 report: report on management's description of the service organization's system and the suitability of the design and operating effectiveness of controls(may provide evidence that would allow a reduction in assessed level of control risk)
  64. Risks of material misstatement (assertion vs. F/S level)
    • - Assertion level risks relate to specific transactions, balances, or disclosures at relevant assertion level
    • - Financial statement level risks are risks that relative pervasively to the F/S as aw hole
  65. Factors that may be indicative of significant risks which require special audit consideration
    • - Risk of fraud
    • - Significant recent economic, accounting, or other developments
    • - Related parties and related party transactions
    • - Improper revenue recognition
    • - Nonroutine, unusual or complex transactions
    • - Accounting estimates or other subjective measurements of financial information
    • - Illegal acts
    • - Accounting principles that are subject to different interpretations
  66. What should the determination of whether a risk is a significant risk be based on?
    Only inherent risk, when it's exceptionally high (ignore effects of controls)
  67. Required documentation after assessing RMM
    • - Discussion among audit team
    • - Key elements of the understanding of the entity and its environment
    • - The assessment of the risks of material misstatement
    • - The identified risks and related controls evaluated by the auditor
  68. Response to risks at the relevant assertion level
    • - Nature
    • - Extent
    • - Timing
  69. Audit approach to identified risks - substantive approach
    • Use if there are:
    • - No effective controls relative to the specific assertion
    • - The implemented controls are assessed as ineffective
    • - It would not be efficient to test the operating effectiveness of controls
  70. Audit approach to identified risks - combined approach
    Both tests of operating effectiveness of controls and substantive procedures are used. Typically, if controls are operating effectively, less assurance will be required from substantive procedures.
  71. Control testing
    • - The auditor's risk assessment is based on the assumption that controls are operating effectively
    • - In situations where a significant amount of IT is used, substantive procedures may not be sufficient
    • - Only controls that are suitably designed to prevent or detect material misstatements are subject to tests of operating effectiveness
    • - Include inquiries, inspection, observation and re-performance (inquiry alone is not sufficient)
  72. Audit evidence hierarchy
    • 1) Personal observation knowledge
    • 2) External evidence
    • 3) Internal evidence
    • 4) Oral evidence
  73. Timing of tests of controls
    • - Should perform tests throughout a period to prove it's been working well, not just as one time
    • - Controls tested only during interim period should be supplemented by additional evidence for the remaining period (roll-forward)
    • - If using evidence from prior audit, need to re-test if controls have changed
    • - If controls haven't changed, since operating effectiveness must be tested at least once every third year
  74. Substantive testing
    • - Used to detect material misstatements at the relevant assertion level, and are required for each material transaction class, account balance or disclosure
    • - Nature: tests of details and substantive analytical procedures
    • - Extent: referring to sample size
    • - Timing: roll forward interim tests, and testing at interim increases risk (so should be done at/near end period)
  75. Evaluating audit evidence (sufficiency and appropriateness)
    • - Results may lead auditor to change audit plan and procedures accordingly
    • - If fraud's discovered, use professional skepticism
    • - Use judgement to evaluate sufficiency and appropriateness of audit evidence
  76. Documentation requirements for results of audit procedures
    • - Overall response addressing assessed risk at the F/S level
    • - Nature, extent and timing of further audit procedures
    • - Linkage of audit procedures with assessed risks at relevant assertion level
    • - The results of audit procedures
    • - The conclusions reached regarding use of prior period audit evidence in evaluating current operating effectiveness of controls
  77. Ways an auditor obtains an understanding of internal control system
    • - Types of misstatements that could occur
    • - The risk that misstatements could occur
    • - Factors that influence the design of tests of controls and substantive tests
    • - The assessment of inherent risk
    • - Judgments about materiality
    • - The complexity and sophistication of the entity's operations and systems
    • - The use of manual vs. computerized control procedures
  78. Types of substantive tests
    • - $ balances
    • - Analytical procedures
    • - Ratios
Card Set
AUDIT 3.txt