Accounting 407 - AUDIT Final Exam
What is COSO?
"Committee of Sponsoring Organizations" -Internal control framework suggested by SEC -Provides reasonable assurance of reliability of financial reporting.
Vertical Analysis
"Common-size" analysis where changes are expressed as a percentage of a base.
If ULRD > Tolerable rate of deviation:
Conclude that internal control is not functioning effectively
2. Rights and Obligations
Company has a legal claim on all assets and revenues reported and has a legal responsibility for all liabilities and expenses. -balance sheet assertion
Preliminary Analytical Procedures
Compare the RECORDED account balance with ESTIMATED account balance -ask why did # change so dramatically?
Horizontal Analysis
Compare year-to-year changes in financial statements
Prenumbered documents must be used and accounted for to ensure that all transactions have been recorded. What assertion is supported?
Completeness
Customer statement
Mailed to the customer and contains details of all sales, cash receipts, and credit memorandum transactions; monthly
Timing can accept a lower DR with _____ tests.
More.
Nature can accept a lower DR with _____ effective tests.
More. (More work for the auditor)
Nonsampling risk
Risk that the auditor may reach inappropriate conclusions based upon available evidence (auditor screws something up not related to sampling like a mathematical error)
2. Risk of Overreliance (ROO)
Risk you are relying on the control when you shouldn't -if CR is low then ROO is about 5% (low) -if you do this then you will do only substantive tests --> PUSH BUTTON HARD
Audit Risk
Risk you will sign off on materially misstated materials ex: AEC (popeyes) vs KPMG case: fired firm for giving undeserved "clean" opinions then shareholders sued KPMG
Virtue ethics
The action consistent with my ideal self.
Any remediation must be completed and tested before what date?
The balance sheet date (then auditor and mgmt doesn't have to disclose in opinion)
Responsibilities Principle (BE)
Who we need to be as an auditor 1. competence and capabilities 2. comply with ethical requirements of the profession - independence and due care 3. Professional Skepticism/Professional Judgement (suspicious attitude - prevents harm)
competence vs due care
competence- capable to do task (trained) due care- do at high quality
MOST IMPORTANT SUB TEST
confirmation of receivables (external evidence) *2 GAAP (generally accepted audit procedures) 1. confirm receivables 2. count inventory
sample tests
could lead to undetected material misstatement because you do not know # for whole
ex: audit bank
count $ in the vault -last one in and first one out
Material indirect interest
financial interest in a nonclient may impair independence when the nonclient has a financial interest in the client ex: Auditor ---owns --- Nonclient ---owns--- Client
Member of both public and business?
follow the most restrictive provisions
White Collar Crimes
fraud perpetrated by people who work in offices and steal with a pencil or a computer terminal. The contrast is violent street crime (stupid crimes- little $ and chance of dying)
Attestation
give a written report on what someone else claims is true (usually on the financial information) result: is it fair? -when the assurance is provided for specific assertions made by management
earnings management
good except when it's NOT Good: depreciation- 5 or 7 years Bad: systematic or purposeful, over record expense sin one year so you can reverse it later COOKIE JAR effect- put in a lot of expense when sales are up then reverse when revenues are down
Responsibilities
exercise sensitive professional and moral judgment
1. Competence and Capabilities
experience and expertise/education: 1. experience- hands-on practice and training 2. education- continued process
For completeness assertion do you need more or less ________?
More assurance
1. Control Envirnoment
sets the *tone of an organization*, influencing the control consciousness of the people it is the foundation for all other components
When testing the operating effectiveness of a control, the auditor should use:
-Inquiry -Observation - Reperformance
Sampling risk
Risk of choosing an unrepresentative sample (need to take representative sample to avoid bias)
Auditors can & do influence the level of _________ risk.
Detection
Substantive analytical procedures provide assurance related to _______ risk.
Detection
Inherent Risks
1. Improper Revenue Recognition: cutoff, bill and hold, channel stuffing 2. Returns and Allowances 3. Collectibility of Receivables 4. Lapping
Steps in Sampling
1. planning 2. performing 3. evaluating
Step 3: Identify and Assess the Risk of MM due to Fraud
1. Incentives and Pressures 2. Opportunities 3. Attitudes and Rationalizations For BOTH: -Fraudulent financial reporting -Misappropriation of assets
2. risks
4. Assessed level of control risk 5. Significant industry or company risks 6. Evaluate general computer system control environment
Partners are limited to __ consecutive years.
5
Major Steps in Attributes Sampling: PERFORMING
5. *Determine sample size* 6. *Select sample items* 7. *Measure sample items*
7. Advocacy
CPAs promoting a client's interests or position -happens at the FIRM level. Lobby to Congress, PCAOB, SEC, etc. on the behalf of their client (common for firm level)
4. self-review
CPAs reviewing their own work -ex: do bookkeeping and audit -AICPA ignores this
6. Management participation
CPAs taking on the role of client management or otherwise performing management functions -common with IPO clients. You act like de facto management
Step 2: Obtain information to Identify Risks
1. Inquiries- question management and internal auditors (must ask if mgmt is "aware" of fraud or has any concerns? 2. Planning analytical procedures
Limitations of the Audit Risk Model
- *CANNOT Set RMM = 0; must be at least 1
AICPA Materiality Table
"Guide to Materiality" *if you have a client over $100 Million that is ALARMING
GAAP Violation
"do not present fairly" don't even know how to do GAAP/don't try
GAAP Violation
"except for" ex: inadequate disclosure, wrong number because of valuation method
Objectives of attributes and variable sampling
(1) Attributes sampling - assess operating effectiveness of a key control (2) Variables sampling - estimate amount of misstatement in or the value of an account balance or class of transactions
Process to determining ULRD using AICPA tables
(1) Based on acceptable ROO, select appropriate table (2) Read sample size column (3) Identify column corresponding to # of deviations found (4) Find ULRD in table
Procedure to determine sample size using AICPA sampling tables
(1) Based ona cceptable level of risk of overreliance, select appropriate sample table size (2) Identify row of table corresponding to EPDR (3) Identify column of table for TRD (4) Determine sample size by using table
How audit team uses nonstatistical sampling for attributes testing to evaluate results of tests
(1) Calculate SRD (2) If SRD > TRD, conclude control not working effectively and revise planned DR (3) If SRD < TRD, cannot conclude control is operating effectively. Must use professional judgment to estimate allowance for sampling risk to determine likely rate of deviation in population
How sampling risk is controlled
(1) Determining appropriate sample size (2) Evaluating sample results to consider the possibility taht the sample does not appropriately represent the population
Factors affecting sample size in variables sampling
(1) Population size (direct relationship) (2) Expected misstatement (direct relationship) (3) Tolerable misstatement (inverse relationship) (4) Sampling risk (inverse relationship) (5) Population variability (direct relationship)
Factors affecting sample size in attributes sampling
(1) Population size (direct relationship) (2) Expected rate of deviation (direct relationship) (3) Tolerable rate of deviaton (inverse relationship) (4) Sampling Risk (inverse relationship)
Two sampling risks associated with variable sampling
(1) Risk of incorrect acceptance - likelihood that sample results indicate the account balance is fairly stated when it is materially misstated. Results in effectiveness loss b/c auditor will make incorrect conclusion and issue an inappropriate opinon (2) Risk of incorrect rejection - likelihood that sample results indicate that account balance is materially misstated when it is actualy fairly stated. Results in efficiency loss b/c additional transactions will be examined prior to proposing an adjustment to client's account balance
Two sampling risks associated with attributes sampling
(1) Risk of underreliance (risk of assessing CR too high) occurs when auditor's ample indicates that control is not functioning effecitvely, when it really is doing so. Auditor's ULRD exceeds TRD when this risk occurs. However, auditor doesn't know that true population deviation rate is less than TRD. Results in efficiency loss because she or he performs more extensive substantitve procedures than necessary (2) Risk of overreliance (risk of assessing CR too low) occurs when auditor's sample indicated that control is functioning effecitvely when it really is not. Auditor's ULRD is less than TRD but the true population deviation rate actually exceeds the TRD. Exposes audtiro to effectiveness loss b/c auditor's substantitve procedures will not reduce audit risk to acceptable level
What if audit team's sample size not included in AICPA sampling tables?
(1) Select additional items for examination to provide next highest sample size included on tables (2) Evaluate results of sample using smaller (more conservative) sample size (3) Interpolate table values and estimate a ULRD for # of items examined
Basic procedure used to evaluate sample results
(1) Select and measure sample items to determine sample estimate (2) Based on acceptable sampling risk, determine reliability and related precision (3) Form precision interval by adding and subtracting precision from sample estimate (4) Determine whether hypothesized (or acceptable) value falls within precision interval
Methods appropriate to use with statistical sampling plan
(1) Unrestricted random selection and (2) Systematic random selection, because they (a) provide reasonable likelihood of selecting a representative sample, (b) allow probability of selecting sample items to be determined, and (c) allow the sample selection process to be replicated
Methods used to select sample items
(1) Unrestricted random selection: series of random numbers is identified and the random numbers are matched to numbered items in corresponding population (2) Systematic random selection: Random starting point is selected within population. Fixed number of items are bypassed and corresponding item in population is selected. Process continued until number of items equal to appropriate sample size selected (can bypass by number of items or number of dollars) (3) Haphazard selection: Identifies sample items in nonsystematic matter with no deliberate effort to match random numbers to sample items. Care should be taken to eliminate any bias (4) Block selection: Identifies a series of continguous (adjacent) units for selection
Precision
(Allowance for sampling risk) *Closeness of sample estimate* to true population value
Reliability
(Confidence) *Likelihood of achieving* a given level of precision
Serious Scope of Limitation
(More than minor) -Requires the auditor to disclaim an opinion
Use of IT Auditors
(ON YOUR TEAM) -Specialized skills are often needed to evaluate the effect of computerized processing on the audit, to understand the flow of transactions, or to design and perform audit procedures -IT auditors are members of the audit team called in when needed. -Audit managers and partners should possess sufficient knowledge to know when to call on specialists and to supervise their work.
AICPA changed audit opinion date (report date) by moving LATER
(Used to be the last day of field work) NOW it is closer to the report release (or report issuance) date The earliest the opinion date can be is when: --All audit documentation is reviewed. --F/S (including all footnotes) have been prepared. --Management rep letter is signed—CEO and CFO take explicit responsibility for the F/S. *applies to public and private*
Relationship between sample size and...
(a) Sampling risk - inverse relationship (b) Tolerable rate of deviatoin - inverse relationship (c) Expected population deviation rate - direct relationship
International Ethics Standards Board for Accountants (IESBA) Code
(applies to multinational client - not hard to follow) ~The IESBA Code must be followed by auditors whenever an audit engagement is completed for a multinational client. ~The importance has increased dramatically in recent years. ~As a result, the PEEC of the AICPA has recently undertaken a project to recodify the AICPA Code of Professional Conduct to be in convergence with the IESB ethical standards.
Direct-effect noncompliance
(direct-effect illegal acts) violations of government regulations by company employees that produce direct AND material effects on the financial statements *auditors must plan to protect against these
Professional Judgement Process
(do this process over and over) 1. Clarify the issues and objectives 2. Consider the possible alternatives 3. Gather and evaluate the relevant evidence 4. Reach an audit conclusion 5. Carefully document rationale for the professional judgment reached
Compliance with Standards
(literally means follow the given standards) a member who performs: audit, tax, review, compilation, management consulting, or other professional services; shall comply with standards promulgated by bodies designated by Council
AS 5:
(reaction to AS2) An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements (for Publicly Traded Companies)
Advertising and Solicitation
(used to be banned) Advertising and solicitation of new clients is okay. Advertising: Cannot be "false, misleading, or deceptive" --Cannot create false or unjustified expectations of favorable results (ex: "we always win in tax court") --Cannot state ability to influence third parties --Cannot deliberately underestimate fees ("bait and switch" or "low balling")
Reasonableness test
* Required in Preliminary planning and final review; optional in Substantive testing - Analysis for this is performed horizontally or vertically
Rule 1.400 Acts Discrdible
* What you're not allowed to do as a CPA - Discriminate - Make false/misleading journal entries - Fail to file personal income tax return - Disclose CPA exam questions
Positive Confirmations
** MORE ASSURANCE -Asks whether the balance is correct/incorrect -always asking for a response; if you don't get a positive confirmation, you have to do something -used for small number of accounts and large number of errors are anticipated
Rule 1.700: Confidentiality of Client Information
**A CPA cannot disclose confidential information without a client's consent. UNLESS: - Workpapers are court subpoenaed -Part of PCAOB peer or quality review of practice
Brainstorming
**REQUIRED PROCEDURE - Should be ongoing during engagement -Set proper tone for engagement -Gain understanding of client
7 threats to independence
*1. familiarity* 2. adverse interest *3. undue influence* 4. self-review 5. financial self-interest *6. management participation* 7. advocacy (common firm-wide)
6 phases of the engagement
*1. plan the engagement* *2. use a TOP DOWN approach* to gain an understanding a) identify entity-level control b) walkthroughs (of the system) *3. testing IC effectiveness* a) design effectiveness b) operations effectiveness *4. evaluating control deficiencies* a) deficiencies b) significant deficiencies c) material weaknesses *5. wrapping up: forming an opinion* on the effectiveness of IC over financial reporting *6. reporting on IC*
Makeup of COSO IC
*5 components* *17 principles* (test according to whether these principles are in place) 77 points of focus
Testing the client-prepared bank reconciliation
*Balance per bank* --CONFIRM (STANDARD BANK CONFIRMATION) directly with bank --Agree to CUTOFF BANK STATEMENT *+Add Deposits-in-transit* --TRACE to cash receipts journal (client's books) --VOUCH to CUTOFF BANK STATEMENT (outside verification) *-Subtract Outstanding Checks* --VOUCH to cash disbursements journal (client's books) --TRACE checks cleared from cutoff bank statement (outside verification) *+/-Add/Subtract Debit/Credit Memos* Inspect bank credit/debit memo (usually immaterial) (do not spend a lot of time here unless really significant/high numbers) *=Balance per books* FOOT Reconciliation TRACE to trial balance
COSO
*Committee Of Sponsoring Organizations* of the National Commission of Fraudulent Financial Reporting (Treadway Commission) --mid 80's, chairman of commission was Treadway Mission: study why fraud was happening in the US --> RESULT: internal controls
Cutoff
*Control*: 1. date of shipping document compared to invoice date *Test of Controls*: 1. check agreement of date of shipment to invoice date 1. check FOB terms
Classification
*Control*: 1. sales to subsidiaries and affiliates are classed as inter-company receivables 2. credit sales are posted to customers' individual accounts *Test of Controls*: 1. trace postings of inter-company sales , sales returns, etc, to sales
Accuracy
*Control:* 1. credit sales are approved 2, prices are from authorized price schedule 3. invoice quantities are compared to PO and shipment quantities 4. prices and math are checked after invoice is prepared *Test of Controls*: 1. examine invoice for approval 2. compare prices to approved listing 3. Observe client reviewing quantities and examine evidence 4. recalculate price extensions and discounts and examine evidence of client doing it
Occurrence
*Control:* 1. invoices supported by PO, and bill of lading or other shipping documents 2. recorded sales in Revenue are supported by invoices *Test of Controls:* 1. check agreement between sales detail file and invoices, shipping docs, and PO for names, quantities, etc; 2. vouch from AR to supporting sales invoices
Completeness
*Control:* 1. prenumbered and numerical sequence (invoices, shipping docs, sales order) 2. statistical or product-line analysis of overall sales *Test of Controls:* 1. scan documents for numerical sequence 1. observe client checking sequence 1. trace shipping doc to sales detail file 2. examine evidence of client review and follow-up of analytical sales data
COSO's ERM
*Enterprise Risk Management* framework provides a *broader prospective than COSO*'s internal control framework
1. understand and document in Planning
*Internal Control Questionnaire*-- series of questions: if answer is "no" there is a potential control deficiency, Required to comment whether it is or isn't. Easy to do, comprehensive, used on sophisticated clients *Narrative* (small client or supplement) - write about what they have to do Accounting and Control System *Flowcharts* - literate in flowchart reading, if a data flow diagram then supplement with a narrative
Management vs Auditor
*Management* - most important objective? 1. operations 2. compliance 3. reporting *Auditor* 1. reporting 2. compliance 3. reporting **conflict of interest
Major Steps of Attribute Sampling: EVALUATING
*Problem with sample rate of deviation is that it may result from a nonrepresentative sample Need to "ADJUST" sample rate of deviation to control for the risk of overreliance Calculate an Upper Limit Rate of Deviation (ULRD)
3. Rationalization
*Reasons it's okay to do it:* I need it more than the other person. I'm borrowing the money and will pay it back. Everybody does it. The company is big and will never miss it. Nobody will get hurt. I am underpaid, so this is due compensation. (*expense items that are NOT valid) I need to maintain a lifestyle and image.
Summary of IC deficiencies
*Three categories* 1. Internal control deficiency (design and operating) 2. Significant deficiency 3. Material weaknesses (Note: COSO 2013 uses the term "major deficiency.") The difference between a significant deficiency and a material weakness is the (1) *likelihood* and (2) *materiality* that a potential (or actual) misstatement would not be detected on a timely basis.
Audit risk model
*basis for the entire way we audit* decomposes overall audit risk into three components: inherent risk (IR), control risk (CR), and detection risk (DR): AR = IR x CR x DR (IR x CR = Risk of Material Misstatement (RMM))
2. Opportunity
*most our time Chance to solve the unshareable problem by violating a trust -weak internal controls -circumventing internal controls -the greater the position, the greater the trust and exposure to unprotected assets
ERM
*objective setting* *event identification* *risk assessment* *risk response* control procedures --information and communication throughout --encompassed by monitoring
Steps of an audit:
*obtain/retain client 1. planning 2. interim 3. year end 4. wrap up
The Control Environment
- "Tone at the top" of an organization - The foundation for all other components -Set of standards, processes, structures that provided the basis for carrying out internal controls across the organization.
Section 404(b)
- ** applies only to "accelerated filers" - auditor's responsibilities
Section 404(a)
- ** applies to ALL U.S. publicly traded companies - management's responsibilities
Rule 1.800: Form of Organization and Name
- A firm can practice in any form permitted by state including LLP and LLC - Firm name should not be misleading - All partners must be CPA's or memebers of AICPA if included in firm name
All invoices received from vendors for payment must be matched to receiving report and purchase order to ensure that the quantity billed agrees with the quantity ordered and received at previously agreed upon prices. What assertion is supported?
- Accuracy - Existence/Occurrence
Rule 1.600 Advertising and Solicitation
- Advertising cannot be "false, misleading, or deceptive" ** Cannot underestimate fees ** Cannot state ability to influence third parties ** Cannot create false or unjustified expectations of favorable results.
Electronic Confirmation Requests
- Allowed by professional auditing standards - Many banks now only complete confirmation requests electronically - Can improve the control of both delivery and receipt of the confirmation request
Audit Evidence Used to Test Cash
- Cash Receipts Journal - Cash Disbursements Journal - Bank Reconciliations - Cancelled checks - Cutoff bank statement - Bank balance via confirmation
Lapping
- Classic form of fraud - Covering deposits w/other deposits - Can be detected by comparing checks listed on deposit slips to the detail of customer remittances recorded in the subsidiary.
Information/Communication
- Controls related to how the organization communicates to support the proper functioning of internal controls - Includes controls over the quality of the information used
Strong Internal Control Activities for Cash
- Dual custody of cash at all times - Lockbox arrangement - Fidelity bonds (insurance policy)
AICPA Code of Professional Conduct
- Establishes guidance of acceptable behavior for auditors - MAINTAINING INDEPENDENCE - Applies to auditors of public and private companies
Purchase Orders must be authorized by purchasing department before any purchase is made. What assertion is supported?
- Existence/Occurrence
Rules 1.300, 1.310, 1.320
- Follow professional standards and interpretations -Perform only those services that can be completed with professional competence - Exercise due care -Adequately plan and supervise engagements - Obtain sufficient relevant data for reasonable conclusions
Restrictions placed on the following types of non-audit services provided to audit clients:
- HR - Legal Services - Expert Services
Limitations of Internal Control
- Human error - Collusion - Management override - Cost/benefit analysis
The Fraud Triangle
- Incentive (pressure) - Rationalization - Opportunity (weak controls) *NEED ALL 3
Covered members include:
- Individuals participating in engagement - Individual in position to influence engagement - Partner/manager providing nonattest services to attest client - Firm's benefit plan - Partner in office where engagement partner practices
Monitoring
- MANAGEMENT'S process that assesses the quality of the internal control's performance over time. ** Control over controls
Standard Bank Confirmation Inquiry
- Must be mailed under auditor's own control - Used to confirm deposit balances and loan balances
Factors Affecting Detection Risk
- Nature, timing, and extent of audit procedures -Sampling risk -Nonsampling risk
Referrals
- Non-percentage based fee
Commissions
- Percentage-based fee
Factors affecting Overall Inherent Risk
- Prior Problems - Overall business risk
Basic Tenets of Ethical Conduct
- Responsibilities - Public Interest - Integrity - Objectivity - Due Care - Scope and nature of services
PCAOB - AS2110
- Risk-based auditing approach - Under this approach, more (or fewer) audit resources are allocated to accounts that are more (or less) likely to be misstated.
General Controls
- Span over several applications ex: -Acess restrictions (passwords, locks, etc)
Application Controls
- Specific to that application ex: error message when credit card info is entered wrong
Review for Collectibility
- Supports Valuation - inspect customer files for collectibility - recalc allowance and bad debt expense and verify reasonableness - verify appropriateness of accounts written off
Relevant Assertions Related to Cash
- Valuation - Existence - Presentation and Disclosure
Materiality Criteria - QUANTITATIVE
- absolute size -relative size -cumulative effects
Sales Cutoff
- used to verify whether sales/revenues recorded in the correct accounting period - TRACE sales invoices and shipping documents to the sales journal (before and after year end) - affects AR, sales, inventory, COGS
Types of Alternative Procedures
- vouch to subsequent cash collection (very strong evidence of existence/valuation) - examine supporting documentation such as sales orders, invoices, and shipping documents (3-way match) - inspect correspondence files for past due accounts (existence)
Scope Limitation
-"do not express an opinion" -cannot find anything -not enough evidence
Audit committee
-*3-6 OUTSIDE members* of the board (independent) -provides a buffer between audit team and operating mgmt -ALL members must be *financially literate* -*one "financial expert"* (ex: CPA) *critical role in PUBLIC co. (not required in private) *get paid by the company, but also have a real job
Made up of?
-*accounting system* (information) -*feedback and direction to employees* (communication)
Some strong internal controls
-*dual custody of cash* at all times (two people open the mail - one opens check and one records the listing) -*lockbox arrangement* ($ goes straight to bank or 3rd party -- RISK falls on them-- record cash receipts daily) -*fidelity bonds* - on cash intensive businesses send a bounty hunter to get cash $
Management's responsibility for IC
-*establish and maintain adequate IC* over financial reporting -*assess and report of effectiveness* of IC over financial reporting *cannot rely on external auditors
AS 5_ relies on SOX
-*responsibility is MGMT* -integrated audit of IC and FS -audit fees went up 40-60% bc audit of IC for 2 years bc didn't want bad PCAOB reports
1. information processing
--*Voucher packet* (Purchase requisition, purchase order, receiving report, invoice) matched prior to cash disbursement authorization --*Deposits reconciled to amounts credited to accounts receivable ledger* --*Bank reconciliation* ex: writing a check- VOUCH (backwards) - receiving report to vendor invoice
Probability-Proportional-to-Size (PPS) Sampling
--Also called *monetary unit* or dollar unit sampling -Follows exact same method as *attributes sampling* -Converts amounts (e.g., tolerable misstatement in the account) to a decimal (similar to tolerable deviation rate) and uses the same tables as attribute sampling -*More efficient than classical variables sampling* -Especially *effective for testing overstatement* ---the bigger you are the more likely you will get picked, pick every nth dollar, only works for testing OVERSTATEMENT, random, seen as more efficient, statistical sampling
Existence
-AR exist? confirm a sample of AR and perform follow-up procedures
Qualifications
-Auditors must know about the specialist's professional qualifications, experience and reputation -Should be *unrelated* to the client -Understand the specialist's methods and assumptions—can't just "rubber stamp" (know what the specialist is doing- have some expertise int he field) -Don't refer to in audit report unless the specialists' findings cause the auditors' report to be modified (their work is not included in audit report UNLESS their finding cause the report to be less than unmodified)
Audit Evidence Used to Test Cash
-Cash receipts journal (books) -Cash disbursements journal (books) -Bank reconciliations -Cancelled check scans (NOT same as void checks) -Bank statements -Cutoff bank statement: The audit team requests that a CUTOFF BANK STATEMENT be sent directly to the auditor (external) prior to subsequent month-end in order to verify deposits-in-transit and cleared checks on a timely basis. Can be manual or electronic - a MANDATORY procedure for every client. After the back rec at year end to see if cleared DIT and OS checks (service/interest charges are usually not material)
Rule 1.500 Commissions and Referral Fees
-Commisions: **Permitted for non-attest clients IF DISCLOSED ** Prohibited for attest clients -Referrals: **Pemitted for any engagement, IF DISCLOSED and IF FOR A SERVICE OF A CPA
2. Top-down approach
-Identify entity-level controls (p. 189) -Perform walkthroughs -Auditor must perform work related to: --Company-wide anti-fraud programs --Controls that have a pervasive effect -Auditor must obtain "principal evidence," but can incorporate work of internal auditors and others --Must assess competence and objectivity --Limited reliance --Can't reduce work on control environment
1. Plan the audit engagement
-Consider knowledge of *industry* -Consider knowledge of *business* -Consider extent of *changes in operations* (i.e. acquisitions) -Consider extent of *changes in internal control* -Evaluation must be done for all relevant assertions for all significant accounts or disclosures. Thus, *significant accounts, locations, and assertions must be identified.* -The key to determining whether an *account, location, or assertion is significant* is whether there is at least a reasonable possibility that a material misstatement could be associated with it. --Just as control risk is used to determine the nature, timing, and extent of substantive procedures, *inherent risk* is used to determine the nature, timing, and extent of tests of controls.
Factors affecting Control Risk
-Control environment -Existence/lack of and effectiveness of control activities -Monitoring activities
Other fraud detection procedures for Cash
-Count the petty cash twice in one day (surprise) -Carefully examine endorsements on canceled check scans -Audit general journal entries (debit to cash) -Retrieve customer checks -Use marked coins and currency -Measure deposit lag time -Examine documents such as bank statements for alteration -Covert surveillance (camera)
2. physical controls over the security of assets
-Deposit cash and checks daily and intact -Lock box account -EDI transactions -Dual custody over cash -Unused checks secured -Check imprinting machine
What are the two criteria for testing internal controls?
-Design -Operating effectiveness
Step 5: Evaluate Audit Evidence
-Discrepancies in the accounting records -Conflicting or missing evidential matter (sales records) -Problematic relationships between the auditor and management (pushing back really hard) -Results from final review stage analytical procedures (compare to margins of planning analytical procedures) -Vague, implausible or inconsistent responses to inquiries (use jargon/don't understand answer)
Factors affecting accounting inherent risk
-Dollar size of the account -Liquidity -Volume of Transactions -Complexity of the transactions -New accounting pronouncements -Subjective estimates
PCAOB duties and characteristics
-Ensure audit quality not compromised -Five executives or analysts on the Board -Supported by fees paid by: Publicly traded companies and CPA firms -Tasks: Registering CPA firms, Inspecting CPA firms, and Setting standards for Audit, Quality Control, Ethics and Independence
Using Confirmations
-Especially useful for verifying EXISTENCE. (also used for valuation, but not as good) Factors likely to affect the reliability of confirmations: 1. Previous audit experience 2. Intended recipient of the confirmation 3. Type of information being confirmed --The auditor may confirm entire BALANCES or individual TRANSACTIONS. 4. Type of confirmation being sent
Risk Factors Related to Rationalization
-Excessive interest by mgmt in stock prices -Aggressive forecasting -History of violations
Threats to an Auditor's Independence
-Familiarity threat (close relationship with client) -Self-review threat (CPA's reviewing own work) -Advocacy threat (CPA promoting clients interest or position)
Sponsoring Organizations
-Financial Executives International (FEI) -American Accounting Association (AAA) -Institute of Internal Auditors (IIA) -Institute of Management Accountants (IMA) -American Institute of CPAs (AICPA)
Kiting
-Floating of funds between two or more bank accounts -"Playing the float" - Schedule of Interbank Transfers is used to detect kiting - Advances in technology have decreased kiting
Use of audit procedures
-For risk assessment (primarily in planning) -To test controls (primarily at interim) -To produce evidence about management's assertions related to the amounts and disclosures in a client's financial statements (substantive procedures) --Primarily at year end, but also during interim --Tests of details, tests of balances, and analytical procedures
Purposes of Audit Documentation
-Integral part of audit quality—good audits have good workpapers (without good workpapers --> audit failure, even if your conclusion is correct) -Nature, timing and extent of work performed -Professional judgments (question to ask: "is it fairly stated?") -Basis for conclusions (evidence) -Provides basis for review
One of Newest Standards: internal audit (SAS 128)
-It introduces the concept from international standards that the auditor must consider whether the client's internal audit department uses a *"systematic and disciplined"* approach, including quality control. --As opposed to an "informal, unstructured, or ad hoc manner -->" Where's the fire?" -Internal Audit needs to be competent- usually composed on fossils and novices -Control risk decreases (bc IA is doing its job)
Engagement Completion Document
-Must include all significant findings or issues. -Must include items identified during interim review. -Must have completed all necessary procedures and obtained sufficient evidence before report release date (can be waiting for a few documents as long as evidence is sufficient) -Documentation should be complete (documentation completion date) no more than 45 days after report release date.
Considering the work of Internal Auditors
-Must obtain an understanding of a client's internal audit department and its work -Audit efficiency -Consider internal auditors' objectivity and competence -Internal auditors should not be delegated tasks that require extensive professional judgment
Risk Factors Related to Opportunities
-Nature of industry/operations -Complex org structure -Deficient internal control -Ineffective monitoring
Planning analytical procedures
-Net income to cash flows (total accruals to total assets): particularly the operating cash flows be 2nd most fraudulent JE is [AR and Sales] -- get sales to meet target then write-off as BDE -Days sales in receivables- is it increasing? -Gross margin- margins growing? shifting expenses? -Asset quality index (Noncurrent assets - PP&E to total assets)
Rule 1.500 Contingent Fees
-Not permitted for attest clients -Allowed for non-attest clients in some circumstances
Auditor uses risk assessment procedure to:
-Obtain an understanding of the entity's internal control -Identify key controls -Identify the types of potential misstatements -Design tests of controls and substantive procedures
SOX - management's responsibility
-One of its most important provisions clearly indicates that the management team is responsible for the financial reporting process and the financial statements. -In fact, Section 302 of the Act states that the key company officials must certify the financial statements. That is, the company CEO and CFO must sign a statement indicating: 1. They have read the financial statements. 2. They are not aware of any false or misleading statements (or any key omitted disclosures). 3. They believe that the financial statements present an accurate picture of the company's financial condition.
Examples of control activities:
-Physical controls over the security of assets -Segregation of duties -Information Processing --Approvals and authorization --Verification and reconciliations -Performance reviews **why fees went up bc SOX- so much testing (PCAOB took out AS2 and added AS5) **start from the top
Risk Factors Related to Incentive/Pressure
-Pressure from mgmt to meet 3rd party expectations -Personal financial situation -Financial stability/profitability threatened
"AS2201"
-Replaced "AS2" - Requires a top-down approach -More focus testing now & saving money
5 Components of Internal Control
-Risk Assessment -Control Environment -Control Activities -Information/Communication -Monitoring
Limitations of Risk-based Auditing
-Subtle and difficult to assess risk -Risk can change quickly -DONT BE PREDICTABLE
4. obtain sufficient appropriate evidence
-Sufficient = QUANTITY (how many transactions or components?) -Appropriate = QUALITY (what level of reliability needed? Source?)
Audit Documentation Requirement
-Sufficient to enable an experienced auditor having NO previous connection with the engagement to: --Understand the nature, timing, extent and results of procedures, evidence and conclusions --Determine who performed the work, date of work, reviewer and date of review -Clear link to significant findings or issues -Demonstrate: --Compliance with PCAOB standards --Support basis for conclusions on relevant assertions --Accounting records agreed with financial statements
2. Planning and gathering of evidence
-adequately plan and supervise all engagements -obtain sufficient relevant data to afford a reasonable basis for all conclusions and recommendations
Completeness
-all receivables that should have been recorded are recorded perform sales cutoff tests include a sample of zero balance accounts in confirmation - testing for UNDER statement (esp. in top 100 customers)
Audit Committee duties
-appointment, compensation, and oversight of the public accounting firm conducting the entity's audit -resolution of disagreements between management and the audit team -oversight of the entity's internal audit function -approval of non audit services provided by the public accounting firm performing audit (included tax return)
Negative Confirmations
-asks for a response only if something is wrong -if you don't get a negative confirmation back you assume everything is fine ***used when ALL are present: -RMM is low -Large number of small balances is involved -Client's customers can be expected to consider the confirmations properly
New SAS 130
-attestation standards -align with AS5 -after December 2016
Disclaimer
-auditors do not give an opinion -can issue for scope limitation (more serious) or situation when auditor is not independent -must be pervasive -"we were engaged to audit..."
Selection of audits
-better investigators -come from these companies so they know where to look -NOT RANDOM
2. Risk Assessment - principles
-clear objectives -identify risks (of the objectives) -NEW: consider fraud potential -assesses changes in controls
Audit Plan
-comprehensive list of the audit procedures (step by step actions) -must access the risk of material misstatement at the F/S and assertion level -The plan: the nature timing and extent of control and substantive tests (designed to mitigate these risks to an acceptable level) GOAL: sufficient and appropriate evidence as the basis of the opinion
3. Control Activities
-control activities mitigate the risks -general controls over technology (ex: cloud) -policies to implement controls
Why Assess Control Risk?
-determine the nature, timing, and extent of audit procedures -trade-off between testing of controls and substantive procedures -Note: *control testing required for public companies (AS 5)*, but not for private companies and not-for-profits
how to determine audit risk
-determined by the auditor -how much risk are you willing to live with? -typical: 5%
Auditor's responsibility for IC
-for public companies, must *audit and issue an opinion* about effectiveness of the IC over financial reporting under AS 5 (audit is integrated with FS audit) -for each fraud risk, must evaluate whether controls are in place to mitigate the fraud risk -must *assess control risk* to determine the nature, timing, and extent of substantive procedures to be performed (performance principle)
Integrity and Objectivity
-free of conflicts of interest -cannot knowingly misrepresent facts -cannot subordinate judgement to others -cannot knowingly make false or misleading entries in an entity's financial statements
Confirmation procedures
1) auditor should mail the confirmation request outside the entity's facilities 2) Record should be maintained of the confirmations mailed and those returned 3) A second request may be necessary in some cases
Content of GAAS
-lists the necessary qualifications and characteristics of auditors -lists procedures to guide the conduct of the audit
Red Flags: employee fraud
-missing documents (not as likely with electronic records) -second endorsements (signature) on checks (only have one on business checks) -unexplained adjustments to AR and inventory balances -excessive voids and credit memos (employee takes kickback through access to cash flow and lighting co ex) -increased past die receivables (sell to fake co. then w/o) -inventory shortages -increased scrap -duplicate payments (net 10, automatic billing) -common names or addresses for refunds (match vendor to employee info and match vendors with same address)
Today's information
-more complex -demanded by remote users -demanded in a more timely manner -has far reaching consequences
Materiality Criteria - QUALITATIVE
-nature of the item or issue -circumstances -uncertainty *matters even though it's not big ex: fraud or change net loss to net income
Other Controls
-no sale sorder with out customer purchase order -credit approval/check prior to authorizing the sale -restricted access to inventory -Restricted access to terminals that can record sales and to the invoices themselves (ex: leave sysytem up while at lunch or password is on desktop) -All documentation in order to record sales -Proper dating of the sale -Invoices compared to bills of lading and orders -Pending order files reviewed for back orders (ex: record sale of 500 but only shipped 50 before year-end so there was 450 in backorder/pending file)
Valent Pharm
-not transparent -aggressive -acquire drug -little R&D -market to access pharmacies - valent had 100% ownership *recording sales when product was shipped to pharmacy, but shouldn't have recorded til sold to people- either way the idea of inter-company sales made stock prices and sales fall
1. Competence and Care
-perform only those services that can be completed with professional competence -exercise professional due care
Analytical Procedures
-ratios -horizontal and vertical analysis (comparing 2 #'s - do they make sense? are they logical?)
Valuation or Allocation
-receivables are included in F/S at appropriate amounts and any resulting valuation adjustments are properly recorded obtain an aged trial balance of individual customer accounts and test the aging compare current year w/o experience to prior year allowance for bad debts examine cash receipts after the balance sheet date for collections of past due accounts and for large past due accounts obtain F/S or credit reports and discuss with credit manager calculate an allowance estimate and using prior relations or w/o and sales, taking under consideration current economic events
Accuracy
-receivables are recorded accurately? vouch sales invoices to customer orders and shipping documents
Materiality
-refers to an amount (or transaction) that would influence the decisions of users (i.e. an amount (or event) that would make a difference). The emphasis is on USER, rather than management or the audit team. A matter of PROFESSIONAL JUDGEMENT
3. SOD
-separate custody, authorization, recording, and reconciliation
Fraud Prevention
-strong control environment and tone at the top -managing people pressures in the workplace (white collar crimes are bc deep debt and addications) --counseling services (prevention) --hotlines (report) -control procedures and employee monitoring -integrity by example and enforcement
Blank confirmation
-subset of positive confirmation -Doesn't give an amount; they ask you what it is -Not used often
extended procedures
-surprise inventory counts -contract confirmations- go to other party in the agreement
Rights and obligations
-the entity holds or controls rights to AR inquire mgmt - sold or factored review bank confirmations, loan agreements, and minutes of board for indications of pledging, discounted or assigned receivables
ex: we cannot confirm this amount
-treat as a non-response and do alternative procedures -contact for elaboration
3. identify and assess risks of material misstatement
-understand entity and environment and industry (including internal control- the entity's policies and procedures in place to prevent or detect material accounting frauds or errors) -determine necessary effectiveness of substantive tests based on detection risk (based on inherent and control risk) -effectiveness of IC have an inverse relationship with control risk and number of substantive tests
4. Information and Communication
-uses information to mitigate risks -internal communication to support the functioning of IC -external communication of functioning of IC -information used to allow people to carry out their responsibilities
2. Authorization of transactions/controls
-write-offs -EDI transactions - power to create sale -credit checks PRIOR to approval of sale -pricing - HUGE area for fraud
Code is broken into 4 sections
0: applicable to ALL AIPCA members 1: applicable to members of PUBLIC practice 2: applicable to members of BUSINESS 3: applicable to "other" members (not in public practice or business)
3. testing of control effectiveness
1) *Evaluate Controls during Planning:* Design Effectiveness-- Could the control work? 2) *Test Controls at Interim: * Operating Effectiveness-- Does the control work?
4 selection methods
1) *Unrestricted random selection*: Select items based on random numbers matched to items in population (random number generator) 2) *Systematic random selection*: Bypass a fixed number of items in population, selecting every nth item (generate 1 random number, N/n = nth) *random selections 3) *Block selection*: Select contiguous units ex: lots of sales at year-end so select last 10 transactions) 4) *Haphazard selection*: Select items in a nonsystematic manner ("try" to be random, pick fav number) *non-random, judgmental
Audit of Cash Steps
1) Balance per bank (Confirm directly w/bank) 2) Add deposits in transit (Vouch to cutoff statements/"existence") 3) Subtract Outstanding Checks (Trace from cutoff statement to client's list of outstanding checks/"completeness") 4) Balance per Books (Trace the amount to the trial balance)
Analytic Procedure Steps
1) Develop an expectation 2) Define a "tolerable difference" (DIFFERENT THAN MATERIALITY) 3) Calculate predictions and compare with recorded amount 4) ***INVESTIGATE SIGNIFICANT DIFFERENCES 5) Document each of the above steps
Ethical Challenges Particular to Auditing
1) Most of the time, additional audit effort does not change anything. 2) Human nature is to be friendly, flexible and helpful. People like to be liked **MAINTAIN PROFESSIONAL SKEPTICISM 3) It is even more difficult to take a stand against the party that is paying your fee. **REASON FOR AUDIT COMMITTEE TO HIRE AUDITOR NOT MGMT 4) Motivated reasoning can lead auditors to rationalize problems away.
4 Key points of AICPA Code of Professional Conduct
1) Principles (aspirational goals of behavior) 2) Rules of conduct (enforceable ethical regulations CPAs must follow) 3) Interpretations (applications of rules to specific business situations) 4) Ethical Rulings
Steps for Audit Risk Model
1) Set desired level of AR 2) Assess what IR would be 3) Assess what CR would be 4) Solve for DR
Tests of Controls
1) Walk through (risk assessment/basic understanding of key processes) 2) Test of design 3) Test of effectiveness ** Under 404(b) management has to test 2 & 3.
Circumstances to justify omission of confirmation:
1) not material to financial statements 2) if assessed RMM Is low at the relevant assertion level and other planned substantive procedures address the risk 3) confirmation of accounts receivable is expected to be ineffective ** not all 3 have to be present
1. planning
1. *Determine the objective of sampling* 2. *Define the characteristic of interest* (i.e. attribute) 3. *Define the population* (ex: all purchase orders from the quarter) --Must be sure to completely and carefully define
Major Steps in Attributes Sampling: PLANNING
1. *Determine the objective of sampling* Identify key controls that the auditor intends to rely upon 2. *Define deviation conditions* What would we see if the control is not functioning as intended? 3. *Define the population* Should reflect all potential applications of the control during the period being examined
Summary of sampling risks
1. *Effectiveness Losses* --Risk of overreliance (assessing control risk too low) --Risk of incorrect acceptance 2. *Efficiency Losses* --Risk of underreliance (assessing control risk too high) --Risk of incorrect rejection
2 options
1. *Increase sample size* in hopes of supporting planned level of control risk—generally a BAD IDEA (WHY? sacrifice your own objectivity bc could just expand bad results and inefficient) 2. *Increase level of control risk*, leading to more effective substantive procedures (lower detection risk)
Sampling Mistakes from PCAOB inspections
1. *Insufficient sample* between interim and year-end (in 4th Quarter) 2. Sample from only part of population 3. Failure to ensure population was complete 4. *Sample too small* (from training auditors to put EPRD = 0? sample too small unless control is perfect) 5. Procedures not performed on all items selected
Processing cash receipts (flowchart)
1. *Prepare cash remittance list* -should be everyday and a dual task -can be electronic -basis for deposit slip -customer and amount paid 2. *Deposit slip* -to the bank with listing with cash itself **-comes back validated that day (bc they put in their account to earn interest) 3. *Look at accounts by customer* - cash and AR 4. *Cash Receipts* **reconcile DAILY- all #'s should be EQUAL - FRAUD
examples:
1. *control environment*: tone from the top, corporate policies, organization authority 2. *risk assessment*: monthly risk control meetings, internal audit risk assessment 3. *control activities*: purchasing limits, approvals, security, reconciliations, specific policies 4. *information and communication*: vision and values survey, issue resolution calls, reporting, corporate communications (email, meetings) 5. *monitoring*: monthly reviews of performance reports, internal audit function
Limitations of IC
1. *human error* 2. *collusion* 3. *management override* 4. *cost/benefit analysis* (just bc external auditors want client to implement IC doesnt mean they will) --there is often a trade-off between the cost and effectiveness of internal controls --the concept of reasonable assurance recognizes that the cost of an entity's internal control should not exceed the benefits that are expected to be derived
Audits of Private Companies
1. AICPA: Statements on Auditing Standards --> SASs, codified as AU sections :: all current standards issued by the Auditing Standards Board 2. PCAOB Auditing Standards: ASs :: NOT applicable
Audits of Public Companies
1. AICPA: Statements on Auditing Standards --> SASs, codified as AU sections :: standards issued by the Auditing Standards Board prior to 2003 not amended or superseded by the PCOAB standards (Interim Standards) 2. PCAOB Auditing Standards: ASs :: All current standards issued by PCAOB -SAS: always follow, AS: follow if you have a public company and if more rigorous than SAS
4 outcomes
1. Account is not misstated/ Account is not misstated 2. Account is misstated/ Account is not misstated 3. Account is not misstated/ Account is misstated 4. Account is misstated/ Account is misstated
Confirmation Considerations
1. All confirmations returned by the post office as non-deliverable must be investigated 2. Responses to positive and blank confirmations provide more reliable evidence than negative non-responses. 3. Recipients of accounts receivable confirmations might not report understatements (This is why you don't get much assurance about completeness from confirmations. They don't protect against understatement of the receivable) 4. Auditors must have heightened professional skepticism for electronic responses (fax or e-mail)--Verify that the response came from an appropriate person at the customer.
Characteristics of Preliminary Analytical Procedures
1. Attention directing >>Identify potential problem areas 2. An organized approach >>A standard starting place to start examining the financial statements 3. Describe the financial activities >>Identify unusual changes in relationships in the data 4. Ask relevant questions >>What could be wrong? What legitimate reasons are there for these results? 5. Cash flow analysis >> Do cash flows make sense compared to earnings?
Pre-Engagement Activities
1. Client acceptance or continuance 2. communication between predecessor and prospective auditors (must be allowed by client) 3. compliance with independence and ethical requirements 4. engagement letters (terms of engagement: when opinion will be done, etc.) 5. termination letter (formally say we are done: public co. does 8K and private co. does termination letter which is given soon after finished audit
factors affecting CR:
1. Control environment 2. Control activities or procedures 3. Monitoring activities (audit committee, internal audit)
Entity Level Controls
1. Controls related to the control environment. (how does someone get on board or AC) 2. Controls related to management override. (who monitors this? ex: 2 signatures) 3. Centralized processing and controls including shared service environments. (cloud) 4. Controls to monitor results of operations. 5. Controls to monitor other controls. 6. Management's risk assessment. 7. Period-end financial reporting process. (STANDARD) 8. Policies that address significant business control and risk management practices.
Analytical Procedure Steps
1. Develop an expectation. 2. Define a significant difference. 3. Calculate predictions and compare them with the recorded amount. 4. Investigate significant differences. 5. Document each of the above steps.
Step 7: DOCUMENT fraud matters
1. Discussion of fraud consideration by engagement personnel and who participated 2. Procedures to identify and assess risk 3. Specific risks identified and auditor response (how you changed your audit plan) 4. If revenue recognition not a risk, explain why (this is rare) (DO NOT want to write this) 5. Results of procedures regarding management override (what you are doing to prevent) 6. Communication to management and audit committee (always communicate fraud to management (and audit committee) UNLESS they are ones committing it)
What increases inherent risk at account level?
1. Dollar size of the account 2. Liquidity 3. Volume of transactions 4. Complexity of the transactions 5. New accounting pronouncements 6. Subjective estimates
Management's Financial Assertions (PCAOB)
1. Existence and Occurrence 2. Rights and Obligations 3. Completeness 4. Valuation or allocation - most important 5. Presentation and disclosure (used to be used by AICPA- made larger set, made by clients, 1-3 test over and over, HOW you test them matters)
Types of audits and auditors (4)
1. Financial (External Auditors/CPAs): Ensure that financial statements are reliable 2. Operational (Internal and Governmental Auditors/CIAs): Improve operational efficiency (make sure things are DONE- efficiency purposes) 3. Compliance (Internal and Governmental Auditors): Ensure compliance with company and/or governmental rules and regulations (make sure following laws) 4. Forensic (Fraud Auditors/CFEs): Designed to investigate a crime and will often involve gathering evidence designed to convict a fraudster (decide who caused the problem, involved in litigation, lays out blame)
Uncollectible accounts
1. Inspect customer files for collectibility 2. Recalculate ALLOWANCE and BAD DEBT EXPENSE 3. Verify reasonableness of ALLOWANCE and BAD DEBT EXPENSE 4. Inspect documentation for appropriateness of accounts written off --Verify attempts to collect receivable. (should be a standard process) --Verify authorization is appropriate.
General Audit Procedures
1. Inspection of records and documents ---Vouching- move backward to find overstatement ---Tracing- move forward to find understatement ---Scanning- don't have to "read" because there are lots of documents and you just need to look at what is important (be an expert) 2. Inspection of tangible assets—inventory, fixed assets 3. Observation—of others (on controls) 4. Inquiry—inside and outside company (ask questions) 5. Confirmation—from third party (bank, vendor, customer) 6. Recalculation—checking mathematical accuracy 7. Reperformance—of procedure or control by the auditor 8. Analytical Procedures—plausible relationships, looking for unexpected results (required in planning and wrap up)
Acts Discreditable (to the profession)
1. Keeping client's books when requested (used to do this til the client paid) 2. Employment discrimination, including sexual harassment 3. Failure to follow GAGAS on a governmental audit 4. Making false or misleading journal entries 5. Failure to meet requirements of a governmental body, commission, or regulatory body (SEC, PCAOB, IRS) 6. Disclosure of CPA examination questions or answers (cannot discuss with ANYONE) 7. Failure to file a personal income tax return 8. Personal felonies or serious misdemeanors (disclose everything beyond a speeding ticket)
The Goal of the Audit
1. Management's Assertions (believe something is true- sum of assertions: numbers and notes) 2. Evidence (LINK) (need this to reach an opinion) 3. Opinion
factors affecting detection risk
1. Nature, timing, and extent of audit procedures 2. Sampling risk- Risk of choosing an unrepresentative sample. 3. Nonsampling risk- Risk that the auditor may reach inappropriate conclusions based upon available evidence
3 exceptions (not required)
1. Not material to the financial statements. 2. If the RISK OF MATERIAL MISSTATEMENT is low, and the assessed level of evidence from analytical procedures and other tests of details is sufficient to reduce audit risk to an acceptably low level, confirmation of accounts receivable may be inefficient. (BUT IR IS ALWAYS HIGH- so never applies) 3. Confirmation of accounts receivable is expected to be ineffective (based on previous years' audit experience).
Loans from financial institutions are permitted (generally okay)
1. Obtained prior to 2/5/01 under old rules 2. Obtained prior to the lender becoming a client 3. Loan was sold to an attest client 4. Loan was obtained before the CPA became a member 5. Loans on life insurance 5. Fully collateralized by cash deposits, loans, leases, etc. (at credit union) 6. Credit cards and cash advances less than $10,000 (if you owe $10,000 on a credit card of a client)
Other Issues related to Audit Documentation
1. Ownership: Auditors maintain ownership, even after auditor-client relationship is over. 2. Confidentiality: Only can be made public with permission, or if subpoenaed, or as part of a peer review of firm practices, or as part of an ethics investigation of firm personnel.
Stages of Use for Analytical Procedures
1. Preliminary planning- required 2. Substantive testing- optional 3. Final review- required
Code of Professional Conduct
1. Principles: ideal standards of ethical conduct (aspirations) 2. Rules of conduct: minimum standards of ethical conduct stated as specific rules (10 commandments, ENFORCEABLE) 3. Interpretations: of the rules by the AICPA division of professional ethics (mainly related to independence) 4. Ethics Rulings: published explanations and answers to questions about rules of conduct (related to time and circumstance)
Revenue Cycle
1. Purchase Order with credit approval 2. Ship and deliver goods 3. Bill and record sale 4. Receive payment and deposit
Cash Receipts: Process Activities
1. Receive cash and REMITTANCE ADVICE in mail. 2. Prepare REMITTANCE LISTING. 3. Enter total from REMITTANCE LISTING (or REMITTANCE ADVICE) in CASH RECEIPTS JOURNAL. 4. Prepare DEPOSIT SLIP and deposit cash receipts in bank (INTACT and DAILY). 5. Record update to SUBSIDIARY ACCOUNTS RECEIVABLE using REMITTANCE ADVICE. 5. Reconcile REMITTANCE LISTING, SUBSIDIARY ACCOUNTS RECEIVABLE , and DEPOSIT SLIP daily
Signs of MW
1. Restatement of previously issued financial statements to reflect the correction of a misstatement. (not applicable when FASB changes rules) 2. Evidence of material misstatements (caught by the audit team) that were not prevented or detected by client's internal controls. 3. Ineffective oversight of financial reporting process by entity's audit committee. (dont fix your suggestions) 4. Indication of fraud (either material or immaterial) by senior management.
1. company
1. Review of the prospective or continuing client relationship 2. Need for special technical or industry expertise 3. Unusual accounting principles problems
Keys Controls in Rev Cycle
1. SOD- is critical to avoid fraud 2. Authorization of controls - authorization of transactions 3. Access to Assets 4. Adequate documents and records 5. independent checks on performance
Analytical Procedures
1. Sales Revenue --Comparisons with previous periods --Comparisons with industry 2. Allowance for Doubtful Accts, Bad Debt Expense --Bad Debt Expense as a percentage of Sales --Allowance for Doubtful Accounts as a percentage of Gross Receivables 3. Accounts Receivable --Days Sales in Accounts Receivable (or DSO) --Accounts Receivable Turnover
Sample size based off 4 criteria
1. Sampling Risk (ROO) 2. Expected population deviation rate 3. tolerable rate of deviation 4. population size
Significant Findings or Issues (must include)
1. Selection, application and consistency of accounting principles, including disclosures (ex: volkswagon: led to lawsuits, govt. regulation, fines) 2. Control deficiencies and material misstatements 3. Audit adjustments (anything you propose) 4. Disagreements (between auditors and/or client and how you got to a solution, evidence: concise memo) 5. Circumstances that cause significant difficulty 6. Significant changes in components of assessed audit risk (inherent and control risk- audit risk itself does NOT change) 7. Matters that could result in report modification (qualified opinion)
When is Sampling used?
1. Study and evaluation of *internal controls*: -Does the control work? -*Attribute sampling* 2. *Substantive procedures* -Is the balance fairly stated -*Variable sampling*
If disagreements exist concerning prep of F/S or record of transactions
1. Take the supervisor's position if acceptable. 2. Report to higher level if supervisor's position is not acceptable. (GO above them to follow policy) 3. Consider resigning if upper management will not take appropriate action. * need a conscience and a spine!!
AUDITING ACCOUNTS RECEIVABLE
1. Test Accounts Receivable Aged Trial Balance (Exhibit 7.8) 2. Confirm balances. 3. Perform analytical procedures 4. Test sales cut-off
What determines sample size in attribute sampling?
1. Tolerable Rate of Deviation 2. Risk of Overreliance (ROO) Risk of Assessing Control Risk Too Low (RACTL) 3. Expected Population Deviation Rate
In Proxy Stmts the CLIENT must disclose:
1. Total audit fees to the public accounting firm for the annual audit and the reviews of quarterly financial information; 2. Total fees to the public accounting firm for tax and other advisory work; 3. Whether the audit committee or the board of directors considered the public accounting firm's advisory work to be compatible with maintaining the auditor's independence; (SIGN OFF) 4. If more than 50 percent, the percentage of the audit hours performed by persons other than the principal auditor's full-time, permanent employees.(OUTSOURCED??)
Red flags for noncompliance
1. Unauthorized transactions. 2. Government investigations. 3. Regulatory reports of violations. 4. Payments to consultants, affiliates, or employees for unspecified services. 5. Excessive sales commissions and agents' fees. 6. Unusually large cash payments. 7. Unexplained payments to government officials. 8. Failure to file tax returns or to pay duties and fees.
Sales Cutoff Procedures
1. Used to verify whether Revenues are recorded in the CORRECT ACCOUNTING PERIOD. --"Holding the books open" (could be legit or not: can finish finalizing sales from end of DEC vs holding open til they get the sales they need) 2. Examine SALES INVOICES and SHIPPING DOCUMENTS shortly prior to and after year-end. 3. Examine returns after year-end. --Channel stuffing?
Alternative Procedures
1. Vouch subsequent cash collections. (BEST evidence) --Usually sufficient evidence of existence and valuation 2. Examine shipping documents. 3. Examine client-generated supporting documentation, such as invoices. --Depends on internal controls 4. Inspect correspondence files (some external and some external-internal, ex: emails)
substantive testing steps
1. analytical procedures- low risk accounts (prepaid insurance) 2. tests of details- select sample transactions 3. tests of balance- look at total balance
SOD
1. authorization 2. recording 3. custody 4. reconciliation
5 Analytical Procedures
1. comparable periods 2. anticipated results 3. relationships of other balances (ratios) 4. industry average 5. nonfinacial information
Why users need this information
1. complexity 2. remoteness 3. time-sensitivity 4. consequences
2 things to do every audit (GAAP)
1. confirm receivables 2. count inventory
Three basic approaches
1. deontological - duties 2. teleological - consequences or outcomes 3. ontological - virtue or character *most people consider 1&2 when placed in an ethical situation
Non-compliance with laws and regulations
1. direct-effect noncompliance 2. indirect-effect noncompliance
Cash Receipts and Disbursements: key control activities
1. information processing 2. physical controls over the security of assets 3. SOD
principles of the control environment (BOOK)
1. integrity and ethical values 2. independent board 3. reporting structure fit objectives 4. commitment to competence 5. accountability for IC responsibilities
Internal Control Opinion format
1. intro (3) 2. Scope (5) 3. Definition 4. Inherent Limitations 5. Opinion 6. "Post-it-note" - also did the FS opinion (1&2 look the same as FS, 3&4 are always exactly the same in every IC opinion)
Categories of QC
1. leadership ("tone at the top") 2. relevant ethical requirements (independence) 3. acceptance and continuance of clients (a form every year/flowchart, risk > benefit?, integrity, competence, legal/ethical requirements) 4. human resources (evaluation/promotions, hiring and assigning) 5. engagement performance (2 partners on company) 6. Monitoring (quality control partner, watching over previous 5 components of QC)
Fraud triangle/fraud elements
1. motivation 2. opportunity 3. rationalization =HIGH RISK
OLD AICPA RULES of code of conduct
1. no solicitation 2. no advertising - only business card 3. no competitive bidding - considered unethical -they did this to restrain trade- FTC threatened to sue so they took away the rules, but said it was "unprofessional" if you did -rules changed but not the principles *now these have become STRATEGY
5 effects on sample size
1. population size 2.*expected rate of deviation* 3. *tolerable rate of deviation* 4. *sampling risk* 5. population variability 2, 3, 4 - real drivers 1. 5 - software will adjust for these
Understanding the client's business
1. review old workpapers 2. walkthrough - of the systems 3. interviews: management (want you to go away) and internal auditors (be their friends) 4. related parties - hard to identify, arms length transactions 5. first time audit? (increased risk) 6. use of internal auditors, specialists, IT auditors 7. analytical procedures- REQUIRED in planning and in wrap up
Considering risk of FRAUD (7 steps)
1. staff discussion (brainstorming) : REQUIRED 2. Identify information necessary to assess fraud risk factors : what do we need? 3. a) Identify b) Assess the risk factors : identify risks and controls 4. Respond to risk assessment : change audit plan 5. Evaluate audit evidence : assess results 6. Communicate fraud matters : to audit committee 7. DOCUMENT : in workpapers and letters to the board
2 Sampling approaches
1. statistical sampling 2. nonstatistical sampling Both statistical sampling and nonstatistical sampling can be used in a *GAAS audit*
Why is this a common rule to break?
1. talking with colleague in elevator and other people get in 2. Friday night at the bar- talking too loud 3. parents- be careful
Negative Confirmation
1. the combined assessed level of inherent and control risk is low 2. a large number of small balances is involved 3. the auditor has no reason to believe that the recipients of the requests are unlikely to give them consideration.
EXCEPTIONS to confidentiality
1. to remain in compliance with standards (GAAP or GAAS) (scope limitation or GAAP violation) 2. if workpapers are subpoenaed by court (cannot change anything) (unless you have a privileged auditor/client relationship) 3. as part of a PCAOB review, peer review, or quality review of practice 4. as part of an ethics violation for state board of accountancy investigation
3 general phases of IC evaluation
1. understand and document in Planning 2. assess control risk (preliminary) in Planning 3. testing and reassessment
What increases inherent risk at company/entity/client level?
1.Competition 2. Economy 3. Nature of Industry 4. Management Style 5. Leverage
SEC/PCAOB prohibited or limited nonaudit services to audit clients
1.Financial information systems design and implementation; 2. Appraisal or valuation services; 3. Actuarial services; 4. Internal audit services; 5. Management functions; 6. Human resources; 7. Broker-dealer services; 8. Legal services; 9. Expert services; 10. Any service for an audit client for a contingent fee or commission; 11. Tax services that are based on judicial proceedings or aggressive interpretations of tax law; 12. Planning or opining on the tax consequence of a transaction; 13. Tax services for key company executives. (individual returns)
timeline
12/31 - year end 2/20 - last day at client/last day of field work 3/1- opinion date: 3 things to be done 3/6 - report release date (45 days) 4/20 - must be 100% done
There are ___ types of opinions for internal controls and ___ for financial statements.
3; 4
Lawsuits from _________ do not effect independence.
3rd parties (AKA Cross claims)
2. performing
4. *Determine sample size* --Under statistical sampling, sample size considers exposure to sampling risk 5. *Select sample items* 6. *Measure sample items* -Perform procedure and make appropriate evaluation/measurement -Determine sample estimate (ex: sample misstatment, SRD) -Nonsampling risk can occur if incorrect procedures are performed or mistakes in evaluation or measurement are made.
Continued considerations
5. Non-response to Positive/blank confirmation requests --Follow up with second and sometimes third requests. (give a week to 10 days) --A lower than expected response rate could be indicative of fictitious customer accounts. (ASK WHY??) -->Alternative procedures. 6. Non-response to negative confirmation requests --lots of responses: misbilling? all one direction? --Only limited evidence concerning financial statement assertions. --Alternative procedures are not necessary for unreturned negative confirmation requests. 7. Follow-up on ALL exceptions
3. people
7. Use of internal auditors , IT auditors, and specialists 8. Staff assignment and timing schedules 9. Schedules of work periods, meeting dates with client personnel, and completion dates
example of monetary unit
80% of the dollars with only 14% of transactions
levels of CR
80-100% - weak controls 50-80% - moderate 10 - 50% strong *if bad controls then CR is HIGH -- do lots of substantive testing
Non-accelerated Filers
<$75 million in market capitalization Have to file within 90 days of year end
Emerging Growth Comapnies
>$1 billion in revenues Within 5 years of IPO Exempt from internal control audits because of JOBS act
Large Accelerated Filers
>$700 million in market capitalization Have to file within 60 days of year end
Accelerated Filers
>$75 million in market capitalization Have to file within 75 days of year end
Confidentiality of Client Information
A CPA cannot disclose confidential information without client's consent applies to private (non-public) info privileged relationship- like a lawyer and client (you can lose your CPA and firm license)
1. motivation (4 types)
A MOTIVE is a pressure a person believes is unshareable with friends and confidants Usually: a) *economic* - desperate or perceived need for money b) *egocentric*- committing fraud for personal prestige Occasionally a) psychotic- "habitual criminal" who steals for the sake of stealing b) ideological- cause is morally superior, justified in the making others victims (RARE- hate the company and what it stands for)
Proof of Cash
A PROOF OF CASH is used when controls over cash are weak. It essentially combines two bank reconciliations, reconciling all transactions that occurred during the period to the client's Cash Receipts Journal and Cash Disbursements Journal. --easy control when client does not have good cash controls (set-up in excel) -especially great in small accounting firms
Free of conflicts of interest
A conflict of interest may exist when there is a significant relationship with a person, entity, product, or service that could be viewed as impairing the member's objectivity -ex: cannot hawk client's products
significant deficiency
A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. *significant enough where the AC should know about it
material weakness
A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements *will not be prevented or detected on a timely basis.* --if you have one material weaknesses then you get an adverse opinion on IC
Material Weakness
A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
Who is a member?
A member according to the AICPA includes: -All individuals participating in an engagement -An individual in a position to influence the engagement -A partner or manager who provides nonattest services to an attest client (e.g., the tax partner on the client) -A partner in the office where engagement partner practices -The firm's benefit plan -An entity that can be controlled by any person considered a member ---SEC calls them "covered members"
Rule 1.200 Independence
A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council. -Applies to attestation engagements -Financial relationships -Managerial relationships -Applies to immediate family/close relatives
Independence
A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by council. must be independent for audit, attestation, and review
Deficiency in Design
A needed control is either missing or flawed.
Tone at the top is part of which COSO component? A) control environment B) risk assessment C) control activities D) monitoring E) information and communication
A) control environment
Which assertion does the following control support: purchase orders must be authorized by the purchasing department before any purchase is made? A) existence/occurrence B) completeness C) presentation and disclosure D) valuation/allocation
A) existence/occurrence
When a sample of customer accounts receivable is selected for vouching debits, auditors will vouch them to A) sales invoices with shipping documents and customer sales invoices B) Records of accounts receivable write offs C) cash remittance lists and bank deposit slips D) Credit files and reports
A) sales invoices with shipping documents and customer sales invoices
When a sample of customer AR is selected for vouching debits, auditors will vouch them to? A) sales invoices with shipping documents and customer sales orders B) Records of AR write offs C) cash remittance lists and bank deposit slips D) Credit files and reports
A) sales invoices with shipping documents and customer sales orders
5. independent checks on performance
A/R subsidiary ledger (aging) to general ledger (reconciled frequently, preferably DAILY) - must be assigned to customer. performed at least monthly Monthly statement to customer- protects against OVERstatement, REALLY important control
What happens if you do one of these acts?
AICPA - kick you out State Board- take your certification and firm license
Self-Regulatory Discipline
AICPA - kick you out State Societies of CPAs - voluntary association
AICPA
AICPA --Auditing standards board -- SAS 122-129 (codified as AU) -private companies follow these, public follow what is more rigorous
Independence Standards : AICPA
AICPA Code of Professional Conduct Rule 101
AICPA vs SEC punishments
AICPA- kick you out, penance: CPE or Quality Review SEC: jail/fine, bans from executive or board
Management Fraud Risk
AKA "Financial reporting fraud" *INTENTIONAL
Employee Fraud
AKA Misappropriation of assets or "stealing" *INTENTIONAL
"write-up" or bookkeeping services
ALLOWED by the AICPA IF -client understands and accepts the statements as their own -auditor does not assume a role of employee or management -no other relationship that impairs integrity and objectivity EXCEPTION: cannot do "write-up" services for PUBLIC clients (SEC says NO)
1. Improper Revenue Recognition
ALWAYS a fraud risk -*cutoff*: more concerned about overstatement (80%) then understatement (20%) ex of understatement: new CFO might smooth earnings- fire people, take losses, blood bath in a few quarters, hold back sales-- HUGE turnaround -*bill and hold*: send invoice early - BILL, but keep the goods - HOLD. Not a sale. Different levels (store in back room, ship to warehouse near customer, etc.) -*channel stuffing*: can be LEGAL or can be FRAUD. It is illegal when it creates fraudulent F/S. In the SC there are people with power over others so they ship and record sales with a purchase order (force into SC) ex of legal: Mary Kay (all about customer relationships)
Potential conflict of interest
ALWAYS exist between the auditor and client -Management wants to portray the company and its operations in the best possible light. -Auditors want to make sure that this portrayal is fair and accurate.
REQUIRED risk assessment
ALWAYS presume that *improper revenue recognition* is a fraud risk (AU 240.26). Identify risks of management override of controls. Examine journal entries and other adjustments. Review accounting estimates for biases. Evaluate business rationale for significant unusual transactions.
Audit Risk formula breakdown
AR- SET: low or very low IR- ASSESS: HIGH if MM is likely to enter the AIS CR- ASSESS: HIGH if MM is not likely to be detected by the IC DR- CALCULATE: (what is the acceptable level of DR?) HIGH means we can afford less effective testing, LOW means we need more effective testing
When the aggregate misstatement is less than the tolerable misstatement...
Accept the account as fairly presented
ULM > TM
Account is misstated (do bigger sample- more precise estimate, give # to get to)
When the aggregate misstatement is greater than the tolerable misstatement...
Account is not fairly presented
ULM <= TM
Account is not misstated
Upper limit rate of deviation
Adjusted rate of deviations that provides conservative measure of population rate of deviation. Allows audit team to ctonrol exposure to sampling risk to acceptable levels Rate of deviation that has a (1 minus ROO) probability of equaling or exceeding true population rate of deviation. There is a ROO probability that true population rate of deviation exceeds ULRD
Substantive Strategy
After obtaining an understanding of internal control, an auditor may choose to follow this strategy and set control risk at HIGH because: - controls don't pertain to an assertion - controls are likely to be assessed as ineffective - testing the effectiveness of controls is inefficient
5. Presentation and disclosure
All accounts are presented in the appropriate place, and all information required has been disclosed in the statements and footnotes -classification: current vs long term, charge expense to different accounts (income statement) -understandibility- in footnotes
3. Completeness
All balances and transactions have been recorded in the financial statements. -used to test UNDERSTATEMENT (ex: liabilities and expenses) -TRACING FORWARD: Start from the beginning and move to the books (move forward) *cutoff- did you record the transaction in the proper place? (can be over or underestimated. ex FOB destination)
Close relatives
All immediate family members and parents, siblings, or non dependent children cannot have: -known material (to the relative) financial interest or financial interest providing significant influence in an audit client (KNOWN to me and MATERIAL to that person) -hold key position with an audit client or be able to influence the audit (substantial impact on reporting)
Close Relative
All immediate family members and parents, siblings, or nondependent child.
AICPA documentation requirements
Applies to ALL audits (not just public company audits like PCAOB's AS 3 standard) --Standards not as stiff as AS 3 1. Documentation completion date must be within 60 days of report release date, not 45 days as under AS 3. 2. Must retain documentation for 5 years, not 7 years as under AS 3. (more time to finish and less time to retain) (if firm has public and private companies - this is irrelevant bc they do not want to mess/mix up)
PCAOB AS 5: how to AUDIT IC
Applies to Auditors of Public Companies: Must *audit* I/C Must give an *opinion* on I/C
SOX 404: how to DO IC
Applies to Public Companies: Must thoroughly *document* I/C Must *assess* I/C adequacy and *report* on it
Using Materiality on Audits
As a guide for: 1. planning substantive procedures- directing attention and audit work to those items or accounts that are important, uncertain, or susceptible to errors or frauds 2. Evaluation of evidence- Auditors use performance materiality to make sure that the aggregate of uncorrected and undetected immaterial misstatements does not exceed materiality for the financial statements as a whole. 3. Decisions about the audit report
First day of your internship
Ask for 2 documents: 1. Engagement Completion Document: summarize everything you found in prior year's audit (required) 2. Planning Memo/Audit Strategy Memo: How we are going to do the audit this year
Substantive Procedures
Assertions and pertaining Sub test
1. Existence and Occurrence
Assets and liabilities included in the accounts exist and recorded transactions are valid and have actually occurred. -used to test OVERSTATEMENT (ex: revenue and assets) -start with the books (sales journal or asset listing) --> VOUCH for legitimacy of documentation (and move back) Voucher Packet
4. Valuation or allocation
Assets, liabilities and recorded transactions have been valued in accordance with GAAP. -income statement accuracy -ex: depreciated cost- is our method appropriate? Allocation of scale
"Test of details" provides a lot of _______ but very expensive.
Assurance -Pulling documents -Confirmation
Assurance vs Attestation vs Auditing
Assurance- improve quality or context, any info Attestation- written report on subject matter that is the responsibility of another Audit- opinion on financial statements
Communication level for misappropriation of assets
At least one level above the people involved
communication between predecessor and prospective auditors
Attempt to communicate is REQUIRED (if the client gives permission, the new auditors must try) If permitted, issues to discuess would include: 1. disagreements 2. communications- fruad, illegal acts, internal controls 3. reasons of audit change Note: they do not have to tell you anything, but it is professional If not permitted- why not? should I take client? (want to ask to talk to predecessors in bidding process)
Module F
Attributes Sampling
Options available if ULRD < TRD
Audit team can choose to rely on IC at planned levels
Think Enron's fees
Audit: $25 Million for internal and external and $27 Million for other -firms getting 90% of profit from consulting -- til SOX
The ______ focuses on those controls that contribute to the reliability, timeliness, and transparancy of external financial reporting.
Auditor (only cares about controls related to finc. reporting)
Write-off authorization
Authorizes final write-off of A/R; authorized by treasurer
Positive Confirmation
BIG customers small number of accounts are involved large number of errors are anticipated
Independence Standards : SOX
Banned services under section 201 Audit partner rotation required under section 203
Determination of ULRD
Based on ROO, sample size, and # of deviations. B/c sample size and number of deviation determine sample rate of deviation, the ULRD is essentially basd on sample rate of deviation and ROO
Why does it need to demostrate those requirements?
Blue Line Entries Blue line- audit the books and say they were fairly stated. The on F/S they move #'s, but keep the balances the same (manipulate #'S) --Can do this with Xerox machine and a light blue pencil because on copies you cannot see number have been marked out
In preparing for the audit of cash, the auditors perform analytical procedures concerning cash balances. Which of the following would be the best source of information for use in the estimate of cash? A) prior years' balances B) management inquiry C) cash budgets D) aged accounts receivable reports
C) cash budgets
The primary purpose for obtaining an understanding of a non-public audit client's internal control is to: A) provide a basis for issuing an opinion on the internal controls B) provide a basis for making constructive suggestions in a management letter C) determine the nature, timing, and extent of further audit tests to be performed D) provide the rationale for the inherent risk assessment at the financial statement assertion level E) more than one of the above
C) determine the nature, timing, and extent of further audit tests to be performed
When completing the audit of internal controls of a public company, the PCAOB requires auditors to audit internal controls over A) operations B) compliance with regulations C) financial reporting D) all of the above
C) financial reporting
Computer Assisted Audit Tools (CAATs)
CAATTs—Can access and extract client information without disrupting data processing to perform audit procedures Some CAATTs Procedures: -Calculate field statistics (totals, high, low and mean) -Perform complex recalculations -Compare files -Group data -Select sample *detect fraud*
Representation letters
CEO and CFO taking responsibility Management is responsible for F/S covers auditors, w/o it is a scope limitation
Commissions and Referral fees
COMMISSIONS: recommending products or services of clients or third parties (non-CPA) --Permitted for non-attest clients, if disclosed --Prohibited for attest clients (you could receive payment for selling client's products if NOT an audit/attest client, but still must DISCLOSE) REFERRALS: recommending services of CPAs --Permitted for any engagement, if disclosed (happen all the time, but must be DISCLOSED)
eFFECTS OF cOMPUTER pROCESSING tRANSACTIONS
CON 1. transactions trails- tend to disappear (if they have a simple computer system - NOT ERP) PRO 2. Uniform processing of transactions- avoids human error CON 3. segregation of duties is less frequent (one process/click carries out multiple duties) PRO 4. Potential for increase mgmt supervision- access to the information (easily track multiple divisions in all geographic areas) CON (scary) 5. computer itself can initiate or execute transactions PRO? 6. use cloud computing apps - could be safer than your own system
2. adverse interest
CPAs acting in opposition to clients (e.g. through litigation) -if client sues you then you are NOT independent -uncommon
1. familiarity
CPAs having a close or longstanding relationship with a client (cannot imagine them lying to you)
5. Financial self-interest
CPAs having a financial relationship with the client -cannot invest in the client
2. Teleological
Calculation-based ethics Ethical Egoism—greatest good for me (or my company or firm) (IGNORE other's consideration) Utilitarianism—greatest good for the greatest number (everyone counts the same) Act utilitarianism- can't determine if it ethical til the result Rule utilitarianism- do the right thing even if it doesn't work out
Pricing
Can be OVER or UNDER -should have controls implemented by client ex: kickback- charge customer $2 for 100,000 units increase price 10%- but give the rep a check for $10,000 a month (written as another expense) Fraud in OVER pricing ex2: decrease price by 10% Rep needs to write extra check for 10% a month to you Fraud in UNDER pricing BUT there are legit reasons for discounts --> must ask WHY??
Options available if ULRD > TRD
Can reduce reliance on IC and icnrease CR with a corresponding reduction of DR and increased substantitve testing, OR can expand sample to achieve an observed ULRD less than or equal to TRD. However, expanding sample is generally not an effective response
Accounting Principles (rule 203 may have evaporated)
Cannot say it's GAAP unless it is! -opinions -negative assurance (reviews: "nothing came to our attention") RULE 203 report exception: if you client uses a method you believe is superior to GAAP then you can give them a clean opinion. "Our client used XXX approach and we AGREE", but if they are wrong then you are toast
Accounts affected by cash receipts transactions:
Cash (DR) Cash discounts (DR) Trade accounts receivable (CR)
Cash Internal Control Considerations
Cash is *HIGHLY LIQUID*, easily *TRANSPORTABLE*, and *NOT easily IDENTIFIABLE*, and therefore is a primary target for employee thieves
Treasurer's Office
Cash management/touch the cash
Audit of Cash
Cash on HAND: (ex: petty cash, days cash receipts, cash equivalents) -Count SIMULTANEOUSLY with other liquid assets -Count in presence of client employee -For undeposited receipts that are counted, you should: --Trace to cash receipts journal (CRJ) --Agree to subsequent deposit in bank statement (did cash from that day flow through?) Cash on DEPOSIT: (easy) -Audited mainly through the client's BANK RECONCILIATION and bank confirmations.
Predictability
Client does NOT like when auditors are unpredictable- they know exactly how you test, your methodology, your plan. B/C they have been there for years or once worked at your firm
Cash disbursements: control risk assessment
Control considerations: -proper SOD -detail control (error checking) activities - (if not SOD then someone should be checking) -internal control questionnaires (we conduct) -transaction process walkthroughs (we conduct) Detail test of controls audit procedures - vouch the voucher packer to make sure they are only paying for what they should be)
The sales journal provides information for what type of sales?
Credit sales
If the auditors encounter a significant scope limitation in evaluating a public company's internal control over financial reporting, which of the following types of opinions on the effectiveness of the company's internal control over financial reporting would be appropriate? A) unqualified opinion B) qualifies opinion C) adverse opinion D) disclaimer of opinion
D) disclaimer of opinion
Which of the following might be detected by auditors' cutoff review and examination of sales journal entries for several days prior to the balance sheet date? A) lapping year end accounts receivable B) misappropriating merchandise C) kiting bank balances D) inflating sales for the year
D) inflating sales for the year
Incorporating elements of unpredictability in the selection of audit procedures to be performed by auditors include all of the following except A) varying the timing of the audit procedures B) selecting items for testing that have lower amounts or are otherwise outside customary selection parameters C) performing audit procedures on an unannounced basis D) sending attorney letters to every attorney listed under the legal expense account
D) sending attorney letters to every attorney listed under the legal expense account
Client has one MW and fix it, clean opinion?
DEPENDS on when you find it Oct: time to fix it before the opinion Jan: they will beg you to define it as a significant deficiency
2. Expected population deviation rate
DIRECT RELATIONSHIP with sample size --Based on past audits or pilot sample
4. population size
DIRECT RELATIONSHIP with sample size, but negligible --determined by number of applications of control to transactions --usually N/A
2. expected rate of deviation (expected misstatement)
DIRECT effect as auditors expect a higher level of deviations or misstatements in population, need to sample more items
1. population size
DIRECT effect as population is larger, need to sample more items
5. population variability
DIRECT effect as population is more variable, need to sample more items to obtain representative sample ex: suddenlink - only need a small sample
4 possible outcomes
Decision based on sample vs decision based on population 1. Rely/rely 2. Reduce Reliance/rely 3. Rely/reduce reliance 4. reduce reliance/reduce reliance
(SR)Controlled by:
Determining an appropriate sample size Ensuring that all items have an equal opportunity of selection (cannot control it if the sample is not random) Mathematically evaluating sample results (control it bc you cannot eliminate it)
Key Controls
Directly relate to Control Risk
Contradictory Information
Documentation should include contradictory information found by the auditor- that is inconsistent with or contradicts the auditor's final conclusions. (show contradictory evidence because more defensible in court than vulnerable --> show 70-80% of evidence supported you by concisely documenting FULL thought process) -Procedures performed in response -Who was consulted with to get an answer -How the team resolved the controversy (was it just your team or were experts involved?) -Can't just bury it! Document it!
Non-accerlerated filers were permanently exempted from Section 404(b) because of ______________.
Dodd-Frank Act in 2010
1. Deontological
Duty-Based Ethics The Categorical Imperative (Kant) --"Act only according to that maxim by which you can at the same time will that it would become a universal law." (ex: if it is okay for you to cheat on an exam then everyone can do it) Duties also arise from moral, religious, and professional codes. (Codes often call them "principles."/core values) Duties usually cause us to refrain from certain actions
Cash audit
EASY to audit, but cash leaks esp. in a public co. EASY to get client to monitor cash controls
Independence Ex
EY partner has affair with Ventas Inc CAO - years of audits are dismisssed bc independence was broken
Chapter 6
Employee Fraud and Cash
Chapter 3
Engagement Planning
Nonsampling Risk
Errors of judgment or execution (your mistakes)
Voucher Packet Contains:
Everything supporting the purchase by your company; matched prior to cash disbursement - Purchase Requisition - P.O. - Receiving Report - Invoice
Step 6: Communicate Fraud Matters
Evidence that fraud may exist must be communicated to appropriate level of management. -Management fraud or fraud resulting in material misstatement must be communicated to the BOARD. -Sarbanes-Oxley: Significant deficiencies must be communicated to those charged with governance (the board of directors). -ANY fraud committed by (upper) management (no matter how small) is material. -Sometimes *overriding duty* to report outside (ex; find something that could threaten public health) IF A PUBLIC COMPANY- go to audit committee, if private/small go to board
For Accounts Receivable, what is the relevant assertion with the highest IR?
Existence
Reporting Principle
Express Opinion (or don't: DISCLAIMER - quick to find out because lack of evidence) Must be in accordance with appropriate financial reporting framework (ex: GAAP)
Reporting Standards
Express an opinion (or indicate that an opinion cannot be expressed) on entity's financial statements Assess financial statements against financial reporting framework -Set of criteria used to determine the measurement, recognition, presentation, and disclosure of material items in the financial statements -Examples: GAAP, IFRS, or special purpose framework
EXTRA
FASB proposed amendment accounting concept statement - how we define things/conceptual statements SPAS #8 refining materiality to supreme court definition
*if you get info that allows you to present the F/S fairly
FIX THE F/S -did the underlying event take place at balance sheet date
The debit to A/P and credit to cash can be done by someone with access to the check-writing function. True or False?
False
COSO is required by law. True or False?
False.
Auditors can be compensated for bringing in other services (consulting) to the clients. T or F?
False. Cant be compensated or else it's a violation of independence.
The risk assessment component of COSO refers to the auditor's identification and analysis of relevant risks related to the achievement of its objectives. True or false?
False; management's
Internal controls can receive a qualified opinion. True or False?
False; no such thing.
Auditors must provide adverse external opinion on internal control for all deficiencies. True or False?
False; only for material weaknesses
Auditors must report all deficiencies to audit committee. True or False?
False; only significant deficiencies and material weaknesses
There is only one organization that can discipline a CPA. True or False?
False; there are multiple organizations in Self-Regulatory and Public
Quest Communications - Rounding Trip Transactions (FRAUD)
Fiber Optic swaps - switch channel with optics, but then wireless happened. Needed a new plan so they supercharged earnings by doing nothing -recording cash sales so increasing revenue -recording cash purchases so increasing fixed assets *problem: NOT A SALE- like-kind exchange (only recognize revenue to the extent of boot received). Both companies were getting fixed assets and infused revenue. HUGE margin --> leading the market in revenue.
Independence Standards : SEC
Financial employment relationships Nonaudit services Disclosures about fees
Utilitarianism Principle
Focuses on the consequences of the action (either positive or negative)
5. Wrapping Up
Forming an opinion on the effectiveness of internal control over financial reporting 3 types: 1. *Unqualified*. No material weaknesses found. 2. *Disclaimer of opinion*. The audit team cannot perform all of the procedures considered necessary. 3. *Adverse opinion*. One or more material weaknesses found. (NO QUALIFIED OPINION)
GAAS vs Principles
GAAS- OLD - not enforced anymore Principles- NEED TO KNOW
AICPA GAAS vs Responsibilities Principle
GAAS: 1. training and proficiency, 2. independence in mental attitude, 3. due professional care Responsibilities: Auditors are responsible for- 1. competence and capabilities, 2. ethical requirements (independence and 3.due care), 4. professional skepticism and professional judgement
AICPA GAAS vs Performance Principle
GAAS: planning and supervision, understanding of entity and environment to assess risk of material misstatement, and obtain sufficient appropriate evidence Performance: To obtain reasonable assurance- 1. plan work and supervise assistants 2. determine and apply appropriate materiality levels 3. identify and assess risks of material misstatement 4. obtain sufficient appropriate evidence
Subsidiary Account
Has the details to the customer accounts/individuals
Control Account
High level journal entry/summary
3. Expected Population Deviation Rate
How often do you think the control fails? -look at HISTORY (and adjust for changes in controls) ex: adjust up if they fired a lot of people -if new client then do a small sample/pilot sample to get a feel of system
When is Attribute Sampling?
INTERIM: Test of Controls Does the control work?
3. tolerable rate of deviation
INVERSE RELATIONSHIP with sample size --Establish based on desired level of CR
1. Sampling Risk (ROO)
INVERSE RELATIONSHIP with sample size --Establish based on desired level of CR --Lower CR=Lower risk of overreliance
3. tolerable rate of deviation
INVERSE effect as auditors require lower level of deviations or misstatements, need to sample more items
4. sampling risk
INVERSE effect as auditors wish to reduce chance of incorrect decisions, need to sample more items
IC vs FS
IS - 5 paragraphs FS - 3 -intro -scope definition limitations -opinion
Question of variable sampling
IS THE ACCOUNT FAIRLY STATED
Question of Attribute sampling
IS THE CONTROL WORKING
If ULRD <=Tolerable rate of deviation:
If ULRD <= Tolerable rate of deviation -Conclude that the internal control is functioning effectively -Maintain planned level of control risk, leading to original planned level of substantive testing
Decision rule with relationship between ULRD and TRD
If ULRD is less than or equal to TRD, audit team will conclude control is functioning effectively If ULRD is more than TRD, conclude control is not functioning effectively
Conceptual Framework for AICPA independence standards
In April 2006, the PEEC (Professional Ethics Executive Committee) adopted the Conceptual Framework for AICPA Independence Standards, which describes the PEEC's risk-based approach to analyzing independence issues that arise: 1. Identify and evaluate threats to independence. 2. Determine whether safeguards eliminate or sufficiently mitigate the identified threats. 3. Determining whether independence is impaired.
3. Evaluating sample results
In statistical sampling, evaluating sample results controls exposure to sampling risk Parameters: --Sample estimate --*Precision* (Allowance for sampling risk): difference between ULRD (worst case) and SRD (best guess). As sample size increases, precision is better --*Reliability* (Confidence): 95% confidence = 5% ROO (*refer to page 4&5)
Rule 1.100: Integrity and Objectivity
In the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interests, and shall not knowingly misrepresent facts or subordinate his or her judgement to others. - does not simply mean complying with bureucratic rules. If it seems bad, it is bad.
With low-level employees, auditors should be careful in deciding whether a fraud is "clearly _______".
Inconsequential
More concerned with incorrect acceptance or rejection?
Incorrect acceptance b/c it may result in issuing an unqualified opinion on financial statements that are materially misstated
Risk of Material Mistatement
Inherent Risk x Control Risk -The risk that material misstatement exists in the financials before auditors apply their substantive procedures. -Inverse relationship between RMM and DR.
Auditors cannot affect ____ and _____ risk, only assess them because they are part of the company.
Inherent and Control
Adverse Template
Intro - 3 Scope- 5 MULTIPLE PARAGRAPHS to explain Opinion- 1
How does sampling risk affect sample size
Inverse relationship; lower level of sampling risk will require a larger sample size and vice versa
Documentation
Involves all seven steps of sampling process Important judgments include: -Factors affecting sample size and rationale for those factors -Method of selecting sample and description of items selected -Method of measuring sample items and summary of measurements -Evaluation of sample results and overall conclusion
Check kiting (exaggerating)
Is the *deliberate floating of funds* between two or more bank accounts to make it appear that more cash is present and available than is really the case. This practice is also known as "playing the float." --Advances in technology and bank scrutiny has decreased this possibility in recent years. --A Schedule of Interbank Transfers is generally used by auditors to detect check kiting. *hard to do in US, but more possible internationally. "move" money in not as watchful bank systems.
Specific Documents that must be retained 7 years
Issuing office must retain prior to report release date: 1. Engagement completion document 2. List of significant fraud risk factors, responses and results of related procedures 3. Inconsistent or contradictory information 4. Finding affecting consolidating or combining of accounts 5. Information to reconcile amounts audited by other auditors to consolidated financial statements 6. Schedule of audit adjustments 7. All significant control deficiencies and material weaknesses and clear distinction between categories 8. Representation letters 9. Matters to be communicated to audit committee
Evaluating Nonstatistical Sampling
JUDGMENTAL Calculate Sample rate of deviation Estimate an Allowance for Sampling Error (bc ULRD does not matter - just a reference point) Compare SRD to TRD -If SRD > TRD: reject sample -If SRD < TRD: Compare SRD to EPDR --IF SDR < EPDR: Probably accept sample Can use tables for guidelines Remember, it's *auditor judgment!*
Higher CR =
Lower DR (more work for auditor)
Significant Deficiency
Less severe than a material weakness, yet important enough to merit attention.
Timing can accept a higher DR with _____ tests.
Less.
Nature can accept a higher DR with _____ effective tests.
Less. (Less work for the auditor)
Nonsampling Risk
Likelihood that an incorrect conclusion will be reached because of reasons unrelated to sampling, which is a nonsampling error. These arise because of errors in judgment or execution of sampling plan
Sampling Risk
Likelihood that decision made based on the sample will differ from decision that would have been made if entire population had been examined, which is a sampling error. Sampling error arises when sample drawn from population does not approrpiately represent that population
Higher IR =
Lower DR (more work for auditor)
__________ is responsible for maintaining effective Internal controls.
Management (Shouldn't be relying on auditor)
Chapter 4
Management Fraud and Audit Risk
Risk Assessment
Management's identification and analysis of relevant risks related to the achievement of its objectives. **NOT THE SAME AS AUDITOR'S RISK ASSESSMENT
4c. Identify Material Weaknesses
Material weaknesses are deficiencies that result in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis.
Tolerable Misstatement
Maximum amount by which an account balance can be misstated and be accepted by audit team as being fairly presented. Auditors compare an "adjusted" sample misstatement (upper limit on misstatement) to toelrable misstatement to determine whether account balance is materially misstated
Tolerable rate of deviation
Maximum rate of deviations from a control that an audit team permits without reducing planned reliance on internal control. Audit team compares an "adjusted" sample deviation rate (upper limit rate of deviation) to tolerable rate of deviation to determine the extent to which auditor can rely on IC
Attributes Sampling
Method used to determine extent to which a particular characteristic (or attribute) exists within a population. In an audit examination, attributes sampling is used in study and evalatuion of internal control and subsequent assessment of CR
PCAOB
Monitors accounting firms through inspections -Firms auditing > 100 public entities: annual -Firms auditing < 100 public entities: every 3 years Inspection reports list deficiencies in audits conducted by registered firms
Original Auditing Guidelines
Montgomery's Auditing -how to audit US firms -firm led to PwC -Fundamental job: protect public (cPa), uphold traditions of integrity and truth, remember who you are
Revenue Recognition
Must be (1) *realized or realizable* and (2) *earned* -realized: received -realizable: reasonable assured of collectibility or receivable
Integrated Audit Report
Must include the auditor's opinion on financial statements and the internal controls.
Financial Relationships
NO DIRECT financial interest NO MATERIAL INDIRECT financial interests NO MATERIAL JOINT VENTURES with clients, officers, directors, or shareholders (ex: buy beach house with controller - if material) LOANS- normal lending practices, if collateral required (allowed: grandfathered loans and collateralized loans)
Part 2
NONPUBLIC -how to fix the problems- 1 year to fix or they will release it to public -inspection results pertaining to the firm's QC
High Detection Risk Strategy
Nature: Physical examination at interim, analytical procedures, substantive tests of transactions and balances. Timing: interim and year end Extent: limited testing of accounts or transactions
Low Detection Risk Strategy
Nature: Physical examination at year end, review of external documents, confirmation, reperformance. Timing: all significant work completed at year-end Extent: extensive testing of significant accounts or transactions
If an auditor detects a material weakness in internal controls, does this imply material misstatements in account balances?
No; if there is a material weakness, there is a reasonable possibility of misstatement but not always
2. nonstatistical sampling
Nonstatistical sampling violates one or both of the criteria( Select sample items or Evaluate sample results)
For revenue, what is the relevant assertion with the highest IR?
Occurrence
A ___ year "cooling off" period is required for employees in a "financial reporting oversight role" who previously worked with the CPA firm performing the audit.
One
5. Monitoring
Ongoing evaluations of IC's performance overtime -correction of internal control deficiencies -internal auditing is an integral part of the monitoring function (bc they are supposed to be fixing the IC)
"AS 2"
Original standard for auditing internal controls - Required bottom-up approach
Step 4: Respond to assessed risks
Overall effect on audit: (change audit plan) -Assignment of auditors to the team (do i need specialists? ) -Choice of accounting principles -*Predictability of auditing procedures* -Examination of adjusting journal entries (typical) -Look back at prior year accounting estimates for bias
More concerned with underreliance or overreliance?
Overreliance - because it may eventually result in issuance of an unqualified opinion on financial statements that are materially misstated
Double entry accounting provides a natural control against ______________.
Overstated revenues
Module E
Overview of Sampling
Audit Documentation required by PCAOB
PCAOB's GOAL: is to improve audit quality. They want a WRITTEN record supporting the auditor's conclusions. This documentation shows -Planning and performance of the work - Procedures performed and evidence obtained -Conclusions reached by the auditor
How do you determine is the principles are present and functioning?
POINTS OF FOCUS- make a questionnaire designed on these
Part 1
PUBLIC part -look at 45 to 60 audits -audit deficiencies = "failed" -do not say specific company name, but they is enough info to guess
What is the most fundamental component of internal control?
People
3. testing and reassessment
Perform Tests of Controls at Interim Re-Assess Control Risk If you are relying on the controls, all controls must be tested at least every three years (SAS 110) --some controls must be test every year --after SOX
7. measuring sample items
Perform appropriate tests of controls --Look for presence or absence of control applied by entity If item cannot be located, consider as a deviation --> Determine sample rate of deviation
Transaction (account)-level Controls
Pertain to specific classes of transactions, account balances, and disclosures
Entity-level Controls
Pervasive to the internal control system ex: controls... - Related to the control environment - Over management override - Company's risk assessment proceudres
Statistical Sampling
Plan that applies laws of probability to select items for examination and evaluates results. Statistical sampling plan differs from nonstatistical sampling plans in terms of methods used to determine appropriate sample size and evaluate sample results. In statistical sampling, these methods control exposure to sampling risk, while they do not in nonstatistical sampling. Both can be used under GAAS but nonstatistical sampling should not be used solely to reduce sample size
4. Adequate documents and records
Pre-numbered sales orders, shipping documents (bills of lading), sales invoices Remittance advice- (if not electronic): reduce misstatement in sales
1. comparable periods
Procedure: Comparison of current-year account balances to those of one or more comparable periods Source of Info: Financial account information for comparable periods. ex: compare current 3rd Quarter to previous year's 3rd Quarter
4. industry average
Procedure: Comparison of the current-year account balances and ratios with similar industry information. Source of Info: Industry statistics ex: how they are comparing to others?
2. anticipated results
Procedure: Comparison of the current-year account balances to anticipated results found in the company's budgets and forecasts. Source of Info: Company budgets and forecasts. ex: how far off is prediction? If don't meet predicted sales % increase -- look for increase in obsolete inventory
3. relationships of other balances (ratios)
Procedure: Evaluation of the relationships of current-year balances to other current-year balances for conformity with predicable patterns based on the company's experience. Source of Info: Financial relationships among accounts in the current period (ratios). ex: look for logical relationships: increase in credit sales, increase in A/R
5. nonfinacial information
Procedure: Study of the relationships of current-year balances with relevant nonfinancial information (e.g., production statistics). Source of Info: Nonfinancial information, such as production statistics.
Test of Controls
Procedures performed by audit team to determine operating effectiveness of client's key internal controls. Audit team's goal in perofrming test of controls is to determine rate at which client's controls are not functioning as intended (sample rate of deviation)
Module B
Professional Ethics
Prohibited Professional Services under SOX
Public company auditors cannot do these services for their auditing clients: making management decisions or auditing their own firm's work -bookkeeping and related services -design or implementation of financial information systems -appraisal or valuation services -actuarial services -internal audit outsourcing -management or human resources services -investment or broker/dealer services -legal and expert services (unrelated to the audit)
System of Quality Control (of CPA firm)
QC- how you evaluate a firm's practice Provides firm with reasonable assurance that the firm and its personnel 1. comply with professional standards and regulatory/legal requirements 2. issue reports that are appropriate in the circumstances Reviewed through either peer reviews (for firms auditing nonpublic entities) or PCAOB inspections (for firms auditing public entities)
Sample size of small populations
Quarterly - 2 Monthly - 2-4 Semimonthly - 3-8 Weekly - 5-9
Step 1: Audit team discussion: brainstorming
REQUIRED PROCEDURE 1. Discussion topics: --Incentives and pressures on management to commit fraud, opportunities for fraud, and culture/environment that could rationalize fraud (fraud triangle) --Risk of management override of controls (AJE's) --Indicators of earnings management --Importance of continuing professional skepticism --Potential responses to these threats 2. Setting proper tone for engagement 3. Discussions should be ongoing throughout the engagement
Professional Skepticism
Refers to an auditor's questioning mindset towards representations made by management and evidence gathered -Inquiry alone is never enough. The auditor must obtain sufficient corroborative evidence. -Unusual financial trends need investigation. -Documents are always checked for authenticity or possible alteration. -Ask questions, get answers, then verify the answers.
"cookie jar reserves"
Reserves to dip into to smooth earnings in future periods
Controller's Office
Responsible for recording the cash/journal entries
Chapter 7
Revenue and Cash Collection Cycle - LOTS of fraud
Chapter 5
Risk Assessment: Internal Control Evaluation
Imperative Principle
Rules based
Enforceable?
Rules of Conduct Interpretations -authority is derived from the by-laws of the AICPA
SEC
SEC -- PCAOB -- Auditing Standards (ASs)-- AS1-18 (in 12 years, only 17 because 1 failed, only for public companies)
6. Reports on IC - separate vs integrated
SEPARATE report on internal control: (most firms) -Opinion on financial statements contained in separate audit report -Extra paragraph added to report on internal control referencing opinion on financial statements. INTEGRATED audit report and report on internal control: -Includes auditor's opinions on 1) internal control effectiveness, and 2) the fairness of the company's financial statements. **Opinion on internal control is given at a point in time—the balance sheet date
Accounts affected by sales return and allowance transactions:
Sales returns (DR) Sales allowances (DR) Trade accounts receivable (CR)
Immediate family
Same restrictions as member Spouse, spousal equivalent, or dependents cannot have: -direct financial interest -material indirect financial interest -hold a key position with an audit client
ULRD =
Sample Rate of Deviation + Allowance for Sampling Risk (precision) (use sample size and number of deviations - chart)
Nonstatistical Attributes Sampling
Sample size based on judgment Should be approximately the same as sizes for statistical sampling Then why not use statistical sampling? --Often the sample sizes used are much smaller Selection may be block or haphazard Attempt to select a representative sample Permissible under GAAS
1. Account is not misstated/ Account is not misstated
Sample: ULM <= TM Population: AM <= TM Correct decision
3. Account is not misstated/ Account is misstated
Sample: ULM <= TM Population: AM > TM Risk of incorrect ACCEPTANCE - never know this for sure until it is too late -thought there was no MM, but one gets to the FS and you issue a clean opinion (AUDIT RISK- if you accept balance as fairly stated) -EFFECTIVENESS ISSUE (scary risk/dangerous threat)
2. Account is misstated/ Account is not misstated
Sample: ULM > TM Population: AM <= TM Risk of incorrect REJECTION -thought there was a MM, but there was not. -sample led to a wrong conclusion, but bigger sample better/different result -EFFICIENCY ISSUE (pressure)
4. Account is misstated/ Account is misstated
Sample: ULM > TM Population: AM > TM Correct decision
1. Rely/Rely on IC as planned
Sample: ULRD <= TRD Population: ARD <= TRD CORRECT decision
3. Rely on IC as planned/Reduce reliance on IC
Sample: ULRD <= TRD Population: ARD > TRD Risk of OVERreliance - risk of assessing control risk too LOW Should have concluded control was ineffective. EFFECTIVENESS LOSS (fired, reputation, litigation)
4. Reduce reliance/Reduce reliance on IC
Sample: ULRD > TRD Population: ARD > TRD Correct decision
2. Reduce Reliance on IC/ Rely on IC as planned
Sample: ULRD >TRD Popluation: ARD <= TRD Risk of UNDERreliance - risk of assessing control risk too HIGH --increased control risk and did more substantive test when we didn't need to. EFFICIENCY LOSS (pressure)
When to use sampling
Sampling can be used by auditor during study and evaluation of client's IC and the substantive procedures
Scope, Reporting, Timing: Integrated Audit
Scope: Test each relevant control activity each year Reporting: Opinion on the effectiveness of internal control Timing: Evaluate effectiveness of internal control as of year end
Scope, Reporting, Timing: Financial Statement Only Audit
Scope: Test relevant control activities IF relying upon them Reporting: No opinion on internal control. Timing: Evaluate effectiveness of internal control throughout the fiscal year
Motivated Reasoning
Seeking out information that confirms what you already believe.
Sequential (Stop-or-Go) Sampling
Select initial (smaller) sample and consider results Decision 1. Rely on control; discontinue sampling 2. Cannot rely on control a) Select additional items; make decision b) Discontinue sampling *rational, supportable, judgmental ("better" judgmental sample) -planning from the front end (strategic ahead of time) -layers of sampling
1. SOD
Separate functions for recording, authorization, custody
Virtue Ethics (Aristotle)
Setting self-focused standards for instilling interpersonal excellence and building character: -Virtues include honesty, openness, and integrity. -Behavior you would be proud to have widely reported.
Document Retention
Seven years from report release date --Required by Sarbanes-Oxley Act --If no report—from last day of fieldwork Workpaper changes after opinion released --*No deletions* --Additions must show who, when, why (these costs involved as called "David Duncan costs" - they are mostly electronic files so it is the cost of time and memory)
3. Access to Assets (cash and goods/inventory)
Shipping department (access to inventory shipped) Lock box account- straight to the bank
Reporting to the Audit Committee on IC matters
Significant deficiencies and material weaknesses SOX requires report in writing. During or after audit (before option goes out so no big surprises) Communication with management not required, but not precluded if beneficial. (don't talk to them if and only if they are reporting fraud) **applies to public and private
4b. Identify significant deficiencies
Significant deficiencies could adversely affect the organization's ability to initiate, record, process, and report data in the financial statements. They are important enough to bring to the attention of the audit committee. (even though it is not material) --Absence of appropriate separation of duties --Absence of appropriate reviews and approvals of transactions --Evidence of failure of control procedures
4. professional skepticism and professional judgement
Skepticism: appropriate questioning and critical assessment of evidence Judgement: application of training, knowledge, and experience in making informed decisions during an audit. Must be carefully documented so an experienced auditor with no knowledge of the client could understand judgement Both required throughout the entire audit process
Use of Auditor Specialists
Specialists are persons skilled in fields other than accounting and auditing who are not members of the audit team or employed by the client as an employee or consultant. (NOT on team and NOT paid by client) --If accounting/auditing specialty expert (AU 220 or 300) --If a "management specialist" used by the client to help prepare estimates or prepare financial statement numbers and disclosures (AU 500)
Ethical Decision Process
Stakeholder Theory (Ed Freeman) 1. define all facts and circumstances 2. identify stakeholders (i.e. vendors, customers,employees, community- do not all count the same) 3. identify stakeholders' rights and obligations in general to each other 4. identify alternatives and consequences 5. choose superior alternative with respect to consequences and/or rules (this is essentially applied utilitarianism)
Confirmation of bank balances
Standard Bank Confirmation Inquiry: -Must be mailed under auditor's own control. -Used to confirm deposit balances and loan balances -Also can be used to request information about contingent liabilities and secured transactions. Electronic Confirmation Requests: (know immediately if they received it and confirm with a call) -Many banks now only complete confirmation requests electronically (e.g., confirmations.com) -Can improve the control of both delivery and receipt of the confirmation request -Allowed by professional auditing standards
Public Regulation Discipline
State Board of Accountancy - can take license and certificate SEC - keep you from practicing, can ban you from serving as an officer or public company PCAOB - keep you from practicing IRS - if banned you will not have a job in tax * if banned by SEC/PCAOB - go private
1. statistical sampling
Statistical sampling methods use the laws of probability to: -Select sample items -Evaluate sample results Statistical sampling methods CONTROL the auditor's exposure to sampling risk
What is the "plug" of the audit risk model?
Substantive Procedures (Detection Risk)
If testing which is higher: TRD or EPRD?
TOLERABLE - always be bigger than expected. The closer they get the sample size increases and the room for error gets smaller
ex:
TRD = 9% EPRD = 4% ROO = 5% -> Control risk is moderate ~ .45 n = sample size = 100 (from infinite population table)
how to convert TM/EM to decimal
TRD = TM / BV EPDR = EM / BV the closer these 2 numbers get the less margin of error: INCREASE SAMPLE SIZE
dual direction test
Test backwards and forwards (*vouch and trace*) Ex: *payroll* 1. Did all recording payroll hours actually OCCUR? vouch from payroll journal to time logs 2. Were all labor hours recorded? (complete) trace from time logs to payroll
Control Activities
The "guts" of the internal control system Ex: - Segregation of duties - Approval and co-signing requirements -Restricted physical access
Deficiency in Operation
The control is designed well, but is not operating as designed.
Unqualified Opinion on Internal Controls
The entity's internal controls is designed and operating effectively (no material weaknesses) as of a certain date.
Audit Risk
The probability that an auditor will give an unqualified opinion on materially misstated financial statements. *APPLIED AT ASSERTION LEVEL
Business risk
The risk that the entity will fail to meet its stated business objectives
Information risk
The risk that the information disseminated by the company will be materially false or misleading (the risk that your client is lying) Users demand an independent third party assessment of the information --reason that auditors exist (must protect the investors)
Communication level for Management Fraud
Those charged with governance (AUDIT COMMITTEE)
Contingent Fees
Those fees based on a particular FINDING or OUTCOME Not permitted for ATTEST ENGAGEMENTS or preparing an original or amended tax return Not contingent if: (allowed) 1. Fixed by courts 2. Based on HOURS WORKED or SERVICES PROVIDED Allowed for NON-ATTEST (Other Tax, Consulting, Some Litigation Support) engagements (ex: franchise taxes- get a % of what they save. BUT once you become a testifying expert you cannot do a contingent fee)
Contingent Fees
Those fees based on a particular finding or outcome
4. wrap up
Tie up loose ends (ex: attorney letter) *Analytical Procedures required*
COSO 2013 GOAL
To determine whether the *five components* of internal control are present and functioning. *Present=Design* and Implementation *Functioning=Operation* Evidenced by *MOST of the (17) principles* being present and functioning. --Doesn't have to be all of them
Performance Principle (DO)
To provide reasonable assurance 1. plan and properly supervise 2. apply appropriate materially (it MATTERS) 3. Assess the risk of material misstatement based of our understanding of the entity and the environment (including internal control) 4. Sufficient appropriate evidence
Goal of the Audit Risk Model
To require auditors to design audits to reduce audit risk to an "acceptably low level"
Accounts affected by sales transactions:
Trade accounts receivable (DR) Bad debt expense (DR) Sales (CR) Allowance for uncollectible accounts (CR)
(NSR)Controlled by:
Training and Supervision Working Conditions (ex: too late, too much work) Effort
Advertising and solicitation of new clients are permitted. True or False?
True
Budgets provided by management provide the best management estimates for the sources and uses of cash. True or False?
True
Disbursements are typically authorized by the accounts payable department. True or False?
True
Errors are unintentional misstatements. T or F?
True
For public companies, AS 2201 only requires auditors to issue a report on the internal controls audit. True or False?
True
Most material weaknesses can be discovered by testing controls related to discovered misstatements. True or False?
True
Performing procedures at an interim date is less effective. True or False?
True
Testing controls is required only for audits of public companies under AS 2201. True or False?
True
The auditor must follow up on all exceptions. True or False?
True
Threatened litigation impairs independence if management and the auditors are suing each other. T or F?
True
A company can receive a clean opinion on its financial statements but an adverse opinion on internal controls. True or False?
True.
Auditors must discuss all deficiencies with management. True or False?
True.
Per ACIPA standards, auditors must communicate known significant deficiencies and material weaknesses to management, but not required to search for them. True or False?
True.
An "as of" opinion doesn't give you assurance for the whole year, just as of that date. True or False?
True; applies to 404(a) and (b)
In order to overstate revenues, one must credit revenue and debit something else. True or False?
True; but not foolproof
The auditor doesn't have to test the internal controls but they do have to understand and assess them. True or False?
True; if they don't test CR; they set it to 1
An auditor of an accelerated filer can assess CR at its maximum (1). True or False?
True; they can assess it as 1 but can't set it as 1. It means there are material weaknesses and results in adverse opinion.
Two types of SOC 1's
Type 1: Only about design of internal controls Type 2: About design AND the operating effectiveness of the controls ** As an external auditor, you want both
5 Types of Audit Opinions
Unmodified/Unqualified/Clean 4 MODIFIED: Qualified (GAAP violation or scope limitation) Adverse (GAAP violation) Disclaimer (Scope Limitation)
Variables Sampling
Used to estimate the amount (or value) of some characteristic of a population Used in the auditor's SUBSTANTIVE TESTS *Goal*: Estimate the amount of misstatement in an account balance or class of transactions (upper limit on misstatement) and compare to an allowable level (tolerable misstatement) Types of variables sampling 1. Monetary Unit Sampling 2. Classical variables samplin
Attributes Sampling
Used to estimate the extent to which a characteristic (attribute) exists within a population Used in *tests of controls* --Estimate the rate at which internal control policies or procedures are not functioning as intended (deviation conditions) --Compare rate to some allowable rate (tolerable rate of deviation)
Attributes Sampling
Used to estimate the extent to which a characteristic exists within a population Used in the auditor's study of INTERNAL CONTROL *Goal*: Estimate the rate at which the client's internal control is failing to function effectively and compare to an allowable level (tolerable deviation rate)
Variables Sampling
Used to examine population when auditor wants to estimate the amount or value of some characteristic of that population. Auditor uses variables sampling when performing substantive procedures to evaluate fairness of an account balance or class of transactions
Form of Organization and Name
Used to make us liable, now PROTECTS our liability (not as important anymore) A firm can practice in any form permitted by the state including: ++ Limited Liability Partnership (LLP) ++ Limited Liability Corporation (LLC) Name should not be misleading ALL CPA owners must be members to say "members of the AICPA."
Credit memorandum
Used to record credits for the return of goods
Discovery Sampling
Used when deviations from control are expected to be infrequent but very *critical* Allows the auditor to: --Determine the necessary sample size to find at least one example of a deviation if such deviations exist --Determine the probability that the rate of occurrence of a deviation is less than a specific (low) level ex: locking a vault, salmonella in Blue Bell IF YOU DISCOVER ONE FAILURE YOU ARE DONE
Dual direction test
VOUCH and TRACE 1. Did all the recorded sales actually occur? Vouch sample of invoices to shipping documents (occurrence) 2. Were all the shipments invoiced? Trace sample of shipping documents to invoices (completeness)
2. determine and apply appropriate materiality levels
WHAT MATTERS? -influences decisions of financial statement users -considered throughout audit --Qualitative Materiality Factors- small dollar amounts that makes a difference, i.e. meeting earnings or not, revenue increasing from previous year or not, negative or positive net income
4a. Evaluate the control deficiencies
Whether the result of a design deficiency or an operating deficiency, an internal control deficiency exists when the design or operation of a control does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion. *More serious internal control deficiencies can be categorized into one of two groups, significant deficiencies or material weaknesses, depending on their severity.*
Deficiency
When the design or operation of a control doesn't allow management or employees to prevent or detect misstatements on a timely basis.
1. planning
When? August-Sept. What? Design of Controls: could the controls work? Assign teams, specialists, consultants. *Analytical procedures required* (partial #'s)
3. year end
When? Dec-Feb What? Substantive Tests - testing to see if the amount is correct
2. interim
When? Sept. - Oct. What? Operation of controls: do the controls work? [test of controls]
Adverse Opinion on Internal Controls
Where at least 1 or more internal control weaknesses are disclosed -no penalty from SEC but not good
When is Variable Sampling?
YEAR-END: Substantive Testing Is the balance/amount fairly stated?
If an auditor detects a material misstatement in an account balance, does this imply a material weakness in internal controls?
Yes.
Where do independence rules apply?
apply to attestation engagements which include audits and reviews
Internal Control (an integrated framework (COSO))
a *process*, effected by an entity's *board of directors, management, and other personnel*, designed to provide *reasonable assurance* regarding the *achievement of objectives* in the following categories: *1. operations* *2. reporting* - four types *3. compliance* (THREE OBJECTIVES OF IC)
bank reconciliation
a client prepared document that the auditor uses for testing cash
independence in fact
a mental state of objectivity and lack of bias
Auditing
a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between the assertions and established criteria and communicating the results to the interested users *assertions- financial statements (including footnotes) *established criteria- GAAP, IFRS, etc *communicating results- auditor's report/other reports (opinions) *interested users- persons who rely on the financial reports (creditors and investors)
Audit
a type of attestation specific to the financial statements as a whole - make sure they are not materially misstated
risk of incorrect acceptance
acceptance of the balance as fairly stated when it is a really materially misstated -based in history like ROO (.05-.1)
example of significant accounts, locations, and assertions
accounts: AR, inventory, sales location: 22M , 6 M, 1.8 M, 200,000 assertion: valuation, existence
Purpose of GAAS
achieve these objectives: 1. obtain reasonable assurance about whether financial statements are free of material misstatement 2. report on the financial statements in accordance with the auditor's findings
foot
add up *column* numbers
crossfoot/cast
add up a *row* of #'s
footing
add up column of numbers
Inherent Risk in Revenue Cycle
always be HIGH!! --> Detection risk will always be low (moderate) What does that mean? MAXIMUM substantive tests
Dual Purpose test
an audit procedure that can be used as both a test of controls and a substantive test
SEC and PCAOB independence rules
an auditor's independence depends on BOTH having the proper mental state and passing the appearance test
Defalcation
another name name for employee fraud or embezzlement
Assurance services
anything to help clients make better decisions ex: PP, spreadsheet, report, compare software -lending of credibility to information, independent professional services that improve the quality of information or its context for decision makers
3. Ontological
appeal to professionalism - a professional would never do it kind of person you want to be, focus on virtue
2. indirect-effect noncompliance
are not related to specific accounts or disclosures on the financial statements (e.g., violations relating to insider trading, occupational health and safety, food and drug administration, environmental protection, and equal employment opportunity). Auditor's responsibility—Follow up on suspected violations material to the financial statements (do not plan audit to detect them, but you may catch them anyways- bring to mgmt attn and FOLLOW UP- cannot let it go-may need to disclose it)
Errors
are unintentional misstatements or omissions of amounts or disclosures in financial statements
Test of controls
assertions with controls and test of controls
2. assess control risk (preliminary) in Planning
assigned CR level high % - weak low % - strong
Sampling with replacement
assumes an infinite population (using tables) , but we have an finite population in audit
3. undue influence
attempts to coerce or otherwise influence the CPA member (e.g. significant gifts or threats to replace the auditor over an accounting principles disagreement) -could be positive or negative ex: angry lashing out with cussing or invite you to the opera, sports game, beach house
tickmark
audit symbol (used to make tick mark legend)
Disadvantages
auditor may continually extend the sample, creating inefficiencies
Immediately upon receipt of cash, a responsible employee should a) Record the amount in the cash receipts journal b) Prepare a remittance listing c) Update the subsidiary accounts receivable records d) Prepare a deposit slip in triplicate
b) Prepare a remittance listing
Which of the following circumstances would most likely cause an audit team to perform additional procedures due to heightened fraud risk? a) Supporting documents are produced when requested b) The client made several large adjustments at or near year-end c) The company has recently hired a new CFO after the previous one retired d) The company maintains several different petty cash funds
b) The client made several large adjustments at or near year-end (*what is unexpected? Surprising?)
An unexplained decrease in the ratio of gross profit to sales may suggest which of the following possibilities? A) unrecorded purchases B) unrecorded sales C) merchandise purchases being charged to SG&A D) fictitious sales
b) unrecorded sales
Why does the AICPA allow this?
bc large majority of members are small firms (few partners). If they do not allow it then it will cut profits of firms
Page 4 of notes
breaks assertions down by IS, BS, and footnotes also a chart on page 13
Checks
cancellation can only be done once look at back of check
Managerial Relationships
cannot act as a promoter, underwriter, or equivalent to an employee (i.e. no decision making) --management participation threat
Which of the following is least indicative of fraudulent activity? a) Numerous cash refunds have been made to different people at the same post office box address b) Internal auditors cannot locate several credit memos to support reductions of customers' balances c) The bank reconciliation has no outstanding checks or deposits older than 15 days. d) Three people were absent the day the auditors handed out the paychecks and have not picked them up four weeks later
c) The bank reconciliation has no outstanding checks or deposits older than 15 days.
Which of the following would the auditor consider to be an incompatible operation if the cashier receives the remittances? a) the cashier prepares the daily deposits b) The cashier makes the daily deposit at a local bank c) The cashier posts the receipts to the accounts receivable subsidiary ledger d) The cashier endorses the check
c) The cashier posts the receipts to the accounts receivable subsidiary ledger
Can provide other services
client tax services and other non-prohibited services to the audit clients if the company's audit committee has approved them in advance
independence in appearance
depends on whether a reasonable investor, with knowledge of all relevant facts and circumstances, can conclude that the auditor is not capable of exercising objective and impartial judgement
Auditor's primary responsibility
design procedures to provide reasonable assurance that frauds or errors that materially misstate the financial statements are detected.
design effectiveness
determines whether the controls over financial reporting, *if operating effectively*, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements. --after an understanding of internal controls is gained through inquiry, inspection, and observation, the controls are evaluated for the possibility that the controls would not prevent or detect a misstatement.
1. Principles (of AICPA code of conduct)
did not change: responsibilities, public interest, integrity, objectivity, due care, scope and nature of services
Due Care
diligence, competence, thorough, prompt
401 testing
do a [test of controls] + substantive tests? DUAL PURPOSE TEST -then in Dec-Feb they only need to look at the 4th quarter
Type of Variables Sampling
dollar unit or monetary unit sampling
Revise the CR
during the Interim stage: operation of controls -do the controls work? *usually increase *NEVER* decrease (one exception- controls you didn't know about)
Initial CR set
during the planning stage: design of controls -could the controls work?
4. lapping
employee fraud ALL THE TIME in small and midsize companies Receive cash in company - apply checks to different accounts and adjust, write-off accounts -a lot of work
3. Collectibility of Receivables
estimate the amount to be uncollectible - ADA -subjective and difficult -esp. with changes in product, customer base, credit policies, and economic conditons
opportunity for fraud
ex: BRIBES- book as investments that the co. is going to dispose of: only one chance to catch the fraud. -co will say they are going to auction it -minimal time bc not going to be a part of future business ex: put fraud in one division of the company then discontinuing operations in that division
Subordinating judgement
ex: find material misstatement - write memo to senior - senior says "nope we are not making the adjustment" - manager says "do what senior says" Now: testify against Board for your license and they take it because you are a professional so you are responsible
PCAOB
governing body took Congress 5 weeks to sign SOX depending on how many public clients you audit, the PCAOB will come in and check how you match up with the standards. If you don't comply to their recommendations in 1 year than they will reveal more. Why> Big 4 was only giving each other clean reviews
2. Returns and Allowances
higher IR if they have new products or technologies -difficult to estimate *way to uncover channel stuffing
Public Interest
honor the public trust -fundamental interest/job
tolerable misstatement
how much misstatement can we tolerate and still say that it is fair
Is it big enough to matter?
if a company has low materiality-- the more work you have to do
Rule of thumb
if sampling 10% of the population -- do finite population correction
1. Tolerable Rate of Deviation
if you want CR low? -believe that controls are strong -cannot tolerate much failure --> PUSH BUTTON HARD (low: 2-7%) DIRECT relationship with control risk
Threatened Litigation
impairs independence if management and the auditors are suing each other. Lawsuits form 3rd parties do NOT affect independence. Ex: shareholders (or another company) sue you and the company
Objectivity
impartial, unbiased, and independent. Free of conflicts of interest and independent "in fact and appearance"
GAAS
including both generally accepted auditing standards
Any fraud committed by management (no matter how small) is never ________.
inconsequential
Environment prone to fraud?
increased probability for fraud in certain environments ex: don't help their employees - no healthcare *helpful environments: outstanding healthcare and benevolence funds
2. Independence
independence in fact (mind and mental attitude) VS independence in appearance (relates to others' perception-particularly F/S users) - must be BOTH applies to financial (owning shares of stock) and managerial relationships(having decision making capacity or auditing your own work)
Timing can accept a higher DR with testing performed at ______________.
interim.
ERM framework
internal environment: objective setting event identification risk assessment risk response control procedures --> information and communication --> monitoring
handout
inverted compared to other tables
design deficiency
is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control's objective.
Larceny
is simple theft of an employer's property that is *not entrusted* to an employee's care, custody or control.
Employee Fraud
is the use of fraudulent means to take money or other property from an employer. If consists of 3 phases: 1. the fraudulent *act* 2. the *conversion* of the money or property to the fraudster's use 3. the *cover-up*
Audit Risk
is tied to business risk - must be approached objectively
Goal in the Performance Principle
provide REASONABLE ASSURANCE that financial statements do not contain material misstatements whether due to fraud or error
operating effectiveness
is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. --A sample of transactions is examined using inquiry, observation, inspection, AND reperformance. --Tests of controls are not performed if design is not effective.
Embezzlement
is wrongfully taking money or property *entrusted* to one's care, custody, and control, often accompanied by false accounting entries and cover-up.
minor effects schedule
keep track of difference, if they add up to something material then make client make an adjustment. If not then uncorrected immaterial misstatement
Higher Audit Risk =
less work because you can accept a higher DR (directly correlated)
3. due care
level of performance by reasonable auditor in a similar circumstance (a prudent auditor)
Cash is highly ______, easily _________, and not easily _________.
liquid transportable identifiable **PRIMARY TARGET for employee thieves
Exhibit 6.9: illustration of proof of cash
looking for unrecorded transfers 1. put bank rec#'s into excel 2. foot 3. bottom line is book numbers (balance -receipts- disbursements (cross footed)) 4. right corner is the proof Proof should always = unless client is transferring in or out and not recording it in the books - possible they have accounts you don't even know about
ex: prepaid insurance
low IR strong controls --possibly no sub. tests, just analytical procedure
bank confirmation
mailed under your control request contingent liabilities (ex: inventory as collateral)
Management Fraud Risk
management intentionally misstates financial statements --Fraudulent financial reporting
1. direct-effect noncompliance
produce direct and material effects on the financial statements. The law or regulation can be identified with a specific account or disclosure (e.g., income tax evasion, FCPA). *Auditor's responsibility*--design procedures to provide reasonable assurance of detecting ex: tax evasion and bribes
sample rate of deviation =
number of deviations / sample size
Scope and nature of services
observe the principles when considering the scope and nature of services provided - only undertake services you can actually provide, in your realm of expertise (do not accept jobs out of your scope for the $$)
operating deficiency
on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained). --well-designed, by they do not do it bc not trained, lazy, stupid
Review Risk Matrix Model
page 7 --if IR is high then DR is never high
Integrity
perform responsibilities with the highest sense of integrity - do what you say/stand under pressure
Types of confirmation
positive - blank negative
1. plan work and supervise assistants
preparation of audit plan- list of the audit procedures that auditors need to perform to gather sufficient evidence on which to base their opinion on the F/S
General Standards
purpose of 201: apply to ALL services (audit, tax, consulting, etc) 1. competence and care 2. planning and gathering evidence
ULRD > TRD
reduce planned reliance on controls ineffective controls (increase CR, decrease DR = more sub tests)
What do users demand?
reliable information
ULRD <= TRD
rely on the controls effective controls
1. Inherent Risk
risk of MM in the absence of controls (at the entity level, the account level (AR or inventory) or the assertion level (overstatement- existence or valuation) --a measure of the susceptibility of an account to misstatement.
3. Detection risk
risk that the auditor will miss a MM (a plug in the audit risk equation) --the last catch The amount of risk auditors will allow and still maintain the overall AR that they set for themselves
Audit risk
risk that the auditor will sign off on MM F/S -the risk (likelihood) that the auditor may unknowingly fail to modify the opinion on financial statements that are materially misstated (e.g., an unqualified opinion on misstated financial statements.)
2. Control Risk
risk that the client's internal controls will miss a MM (should catch the MM)
Sampling Risk
risk that the decision made based on the sample differs from the decision that would have been made by examining the entire population Cause? NON-REPRESENTATIVE sample (ex: ROO is a type of SR)
triggers
sales order is a trigger for # goes to inventory pricing is a trigger for misstatement
ex: mature client
set AR at 5% with IR high and strong/moderate controls .05 = 1.00 X .5 X .1 (we can do less substantive tests of controls but if they fail you have to increase the control risk, which will decrease DR and make you do more tests)
ex: new client
set AR at 5% with IR high and weak controls .05 = 1.00 X 1.00 X .05 (DR is a plug)
Blank Confirmation
should be used if the recipient is likely to return a positive confirmation without verifying the accuracy of the information. -for stupid people -an insult so it will probably take longer to get back -you sent them a positive last year and they signed off on the wrong amount so you cannot trust them now
Contingent Fees and Commission and Referral Fees
similar in nature introduce competition into the market, but both could be corrupting to the profession
Internal Control Structure
simply a different way of viewing the business-a perspective that focuses on doing the right things in the right way -in many cases you perform controls and interact with the control structure everyday, perhaps without even realizing it
Correct for finite population
square root of (1- (n/N)) * 100 ALWAYS Round up *save you time and money
Employee fraud
stealing money or materials from company -don't care about this because we are meant to find MATERIAL misstatements -report to upper management
Planning Memorandum
summary of the planning procedures (also known as strategy memo) fundamental document in the plan it is primarily the job of the senior- must get it signed off on basis for the audit plan Considerations: company, risks, and people
ULRD = TRD
technically the control is effective, but should expand sample
Exhibit 6.4
tests of controls over cash disbursements
Ethics
that branch of philosophy which is the systematic study of reflective choice, of the standards of right and wrong by which it is guided, and of the goods toward which is may ultimately be directed -Wheelwright -an uncertain choice to made. How do you make it? follow principles! (not rules)
Advantages
that evidence may support reliance on control with a relatively small sample size (But you only get the assurance level of the smaller n)
SEC guideline - SAB 104 (SEC Staff Accounting Board)
to be realized or realizable and earned ALL 4 must be met: 1. persuasive evidence of an arrangement exists 2. delivery has occurred or services rendered 3. the seller's price to the buyer is FIXED or DETERMINABLE (hinged on commodity price) 4. Collectibility is reasonably assured
Risk Assessment Procedures
used to determine inherent risk and the initial level of control risk during planning Inherent risk x Control risk=Risk of material misstatement --> IR X CR = RMM
Confirmations
useful for verifying existence
Timing can accept a lower DR with testing performed at ______________.
year end.
If you have the power to w/o receivables --
you can STEAL -person needs to be authorized -did they try to collect it first? -should be a standard procedure (ex: letter) -go through outside legal council -wait another X amount of days til you officially w/o