Audit 9.3
In an integrated audit, an auditor should issue an adverse opinion on the effectiveness of an entity's internal control in which of the following situations?
A material weakness exists. bc: An audit of the effectiveness of internal control over financial reporting is integrated with an audit of the financial statements. If the engagement determines that a material weakness exists, the auditor should express an adverse opinion on the effectiveness of internal control (AU-C 940).
During the audit of internal controls integrated with the audit of the financial statements, the auditor discovered a material weakness in internal control. The auditor most likely will express a(n)
Adverse opinion on internal control. bc: Material weaknesses are significant control deficiencies that result in more than a remote chance that a material misstatement will result in the financial statements. A material weakness requires the auditor to express an adverse opinion on the effectiveness of internal control.
According to the PCAOB, each of the following statements is true with respect to the auditor's responsibility to communicate material weaknesses in internal control over financial reporting except
All such weaknesses must be communicated in writing to all stockholders. bc: The auditor only needs to communicate material weaknesses in writing to management and those charged with governance, including the audit committee.
Which of the following best describes a CPA's engagement to report on an entity's internal control over financial reporting?
An audit engagement that results in issuance of a report relating to the effectiveness of internal control. bc: In such an attest engagement, the auditor issues a report relating to the effectiveness of the entity's internal control over financial reporting. The practitioner, as part of engagement performance, obtains from management a written assessment about such effectiveness. AU-C 940 and AS 2201 define the objective of the engagement to express an opinion on the effectiveness of internal control over financial reporting similarly.
Each of the following statements is correct regarding the likely sources of potential misstatements in an integrated audit except
An evaluation of the entity's information technology risk and controls should be performed separately from the top-down approach. bc: The auditor begins an integrated audit at the statement level by understanding overall risks to internal control over financial reporting. (S)he then focuses on entity-level controls and works down to significant classes of transactions, account balances, disclosures, and their relevant assertions. The following are examples of entity-level controls: (1) the control environment, (2) controls over management override, (3) monitoring of the results of operations, (4) controls over the period-end financial reporting process, (5) monitoring of other controls, and (6) the risk assessment process.
To ensure that the audit report for an issuer is prepared in accordance with Section 404 of the Sarbanes-Oxley Act of 2002, the report must
Attest to and report on the internal control assessment made by the management of the issuer. bc: Section 404(a) requires an issuer to include in its annual report an internal control report (1) stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and (2) an assessment of the effectiveness of the internal control structure and procedures for financial reporting. Section 404(b) requires the issuer's auditor to report on the effectiveness of internal control over financial reporting. [But the requirement in 404(b) does not apply to nonaccelerated filers (issuers with market equity of less than $75,000,000).]
An auditor expresses an unmodified opinion on internal control over financial reporting after an audit integrated with a financial statement audit. As a result, the
Auditor believes that controls are effective. bc: The auditor's objective in an audit of internal control over financial reporting is to express an opinion on whether the entity maintained, in all material respects, effective internal control as of the specified date, based on the control criteria.
Snow, CPA, was engaged by Master Co., a nonissuer, to audit the effectiveness of Master's internal control over financial reporting as part of an integrated audit. Snow's report should state that
Because of inherent limitations, internal control may not prevent, or detect and correct, misstatements bc: The auditor's report states that because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risks that (1) controls may become inadequate because of changes in conditions or (2) the degree of compliance with the policies or procedures may deteriorate (AU-C 940).
Which of the following statements correctly describes the "top-down approach" used during an audit of internal control over financial reporting?
Begin by understanding the overall risks to internal control over financial reporting at the financial statement level. bc: The auditor begins an integrated audit at the financial statement level by understanding the overall risks to internal control over financial reporting and focusing on entity-level controls. The auditor then performs procedures on significant classes of transactions, account balances, disclosures, and their relevant assertions.
In an audit of internal control over financial reporting, which deficiencies in control should be communicated in writing to those charged with governance?
Both material weaknesses and significant deficiencies. bc: The auditor should communicate, in writing, to management and to those charged with governance all material weaknesses and significant deficiencies identified during the audit. The written communication should be made prior to the report release date. The auditor also should communicate to management, in writing, all lesser deficiencies in internal control and inform those charged with governance when such a communication has been made.
Which of the following most accurately describes the process of a walkthrough?
Following a transaction from its origination until it is reflected in the financial statements. bc: Performing walkthroughs will frequently be the most effective way of achieving the objectives in testing controls. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and reperformance of controls.
Brown, CPA, has accepted an engagement to audit the effectiveness of the internal control over financial reporting of Crow Company (a nonissuer) and to issue a report on such audit. In what form does Crow present its written assessment about effectiveness? I. In a separate report that accompanies Brown's report II. As a note to the financial statements
I only bc: An auditor may audit internal control only if certain conditions are met. One condition is that management provide its assessment about the effectiveness of the entity's internal control in a report that accompanies the auditor's report (AU-C 940). Included in the separate report is a condition of accepting the engagement.
Which of the following audit procedures, if used, should be combined with other audit procedures when testing the operating effectiveness of controls?
Inquiry bc: The following tests are presented in order of the evidence that they ordinarily produce, from least to most: (1) inquiry, (2) observation, (3) inspection of relevant documentation, and (4) reperformance of a control. Inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control.
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued a document in 1992 that has been embraced by numerous organizations, including the AICPA and the GAO. That document is titled
Internal Control--Integrated Framework. bc: Many professional and regulatory bodies, including the PCAOB, have recognized the COSO's internal control framework by incorporating its terms, definitions, and concepts into their policies, procedures, pronouncements, and other literature.
A CPA's understanding of internal control in a financial statement audit of a nonissuer
Is usually more limited than that made in an audit of internal control integrated with an audit of financial statements. bc: The scope of the understanding of internal control in a financial statement audit of a nonissuer is usually less than that in an audit of internal control integrated with an audit of financial statements. In the integrated audit, the auditor tests controls to support the opinion on the effectiveness of internal control. To express an opinion on internal control, the auditor obtains evidence about the effectiveness of selected controls over all relevant assertions. When obtaining the understanding of internal control during a financial statement audit, the auditor need not test controls unless (1) the auditor's risk assessment is based on an expectation of the effectiveness of controls or (2) substantive procedures alone do not provide sufficient appropriate evidence.
In an integrated audit, if an auditor concludes that a material weakness exists as of the date specified in management's assertion, the auditor should take which of the following actions?
Issue an adverse opinion. bc: A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that a reasonable possibility exists that a material misstatement of the entity's annual or interim financial statements will not be prevented or detected on a timely basis. A material weakness requires the auditor to express an adverse opinion on the effectiveness of internal control.
In reporting on an audit of an issuer's internal control over financial reporting, an auditor should include a statement that describes the
Limitations inherent to internal control. bc: The auditor's report states that because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risks that (1) controls may become inadequate because of changes in conditions or (2) the degree of compliance with the policies or procedures may deteriorate (AU-C 940).
Which of the following statements would an auditor most likely require management to indicate in a written representation letter obtained for an audit?
Management acknowledges its responsibilities for the design and implementation of programs and controls to detect fraud. bc: The auditor should obtain written representations from management acknowledging management's responsibility for establishing and maintaining effective ICFR.
In the audit, the auditor reports on the effectiveness of an entity's internal control over financial reporting. Which of the following is not a condition of that engagement?
Management provides assurance that limitations inherent to internal control have been eliminated. bc: By their nature, limitations inherent to internal control cannot be eliminated. Thus, management is not expected to provide such assurance.
Section 404 of the Sarbanes-Oxley Act of 2002 requires each annual report of an issuer to include which of the following?
Management's assessment of the effectiveness of internal control over financial reporting. bc: Every public company (an issuer) must include in its annual report management's assessment of the design and effectiveness of internal control over financial reporting. An accelerated filer (a company with market equity of at least $75 million) also must annually obtain an auditor's report on internal control over financial reporting.
When engaged to express an opinion about the effectiveness of a nonissuer's internal control over financial reporting, the auditor should
Obtain management's written representation acknowledging responsibility for establishing and maintaining internal control. bc: Management should include a written assessment of control effectiveness based on the control criteria. Failure to provide these representations should cause the auditor to withdraw from the engagement.
An issuer who is an accelerated filer subject to the Securities Exchange Act of 1934 is required to include in its annual report an auditor's opinion on whether internal control over financial reporting was
Properly designed and operated effectively. bc: According to PCAOB's AS 2201, the report states the auditor's opinion on whether the entity maintained, in all material respects, effective internal control over financial reporting as of the specified date based on the control criteria.
Management of an issuer subject to SEC requirements requests the auditor to report on whether a previously reported material weakness in internal control continues to exist. The request comes 3 months after the annual audited financial statements and report on internal control were released.
The auditor may accept the engagement if management provides a statement that the identified material weakness no longer exists. bc: PCAOB AS 6115 applies to engagements solely to report on whether a previously reported material weakness continues to exist. Such an engagement is voluntary and may be performed as of any reasonable date selected by management. To perform such an engagement, the auditor should receive a written report from management that the identified material weakness no longer exists as of the date specified. The auditor then applies appropriate procedures to assess whether remediation has been accomplished.
When planning an engagement to audit the effectiveness of the entity's internal control in an integrated audit of a nonissuer, a practitioner would least likely consider which of the following factors?
The evaluation of the operating effectiveness of the controls. bc: The audit of a nonissuer's internal control over financial reporting should be integrated with the financial statement audit. Evaluating certain matters may assist the auditor's planning of the audit, but the evaluation of the operating effectiveness of the controls is not one of those matters. This evaluation is not made until the auditor forms an opinion by considering the evidence obtained from all sources, including (1) tests of controls, (2) misstatements detected during the audit, and (3) identified deficiencies.
Which of the following is a true statement concerning an engagement to examine the effectiveness of an entity's internal control over financial reporting?
The management evaluates the effectiveness of internal control. bc: As part of engagement performance for both AU-C 940 and AS 2201, the auditor should obtain from management a written assessment about internal control effectiveness.
In the integrated audit, which of the following would not be considered an entity-level control?
The outside auditor's assessment process of internal auditor competence and objectivity. bc: The auditor begins an integrated audit at the statement level by understanding overall risks to internal control over financial reporting. (S)he then focuses on entity-level controls and works down to significant classes of transactions, account balances, disclosures, and their relevant assertions. The following are examples of entity-level controls: (1) the control environment, (2) controls over management override, (3) monitoring of the results of operations, (4) controls over the period-end financial reporting process, (5) monitoring of other controls, and (6) the risk assessment process. But the outside auditor's assessment process of internal auditor competence and objectivity is external to the entity.
Which of the following best describes a CPA's responsibility to report on an issuer's (public company's) internal control over financial reporting?
To examine the effectiveness of its internal control. bc: The auditor's objective is to express an opinion on whether internal control is effective, in all material respects, based on the control criteria.
The audit of internal control over financial reporting should test Design Effectiveness Operating Effectiveness
Yes Yes bc: The auditor should test design effectiveness by determining whether the controls, if they are operated as prescribed by persons with the necessary authority and competence to perform the control effectively, (1) satisfy the control objectives and (2) can effectively prevent, or detect and correct, fraud or errors that could result in material misstatements in the financial statements. The auditor should test the operating effectiveness of a control by determining whether (1) the control is operating as designed and (2) the person performing the control possesses the necessary authority and competence to perform the control effectively.
An auditor is auditing internal control in conjunction with the audit of financial statements for an issuer. The auditor is considering the appropriate materiality level for planning the audit of internal control. Relative to the materiality level for the audit of the financial statements, materiality levels for the audit of internal control are
the same bc: Auditing standards indicate that the auditor should use the same materiality considerations in the audit of internal control over financial reporting that (s)he would use in planning the audit of annual financial statements.
If an auditor performing an integrated audit identifies one or more material weaknesses in a nonissuer's internal control, the auditor should
Express an adverse opinion on the entity's internal control. bc: Material weaknesses are significant control deficiencies that result in more than a remote chance that a material misstatement will result in the financial statements. A material weakness requires the auditor to express an adverse opinion on the effectiveness of internal control.
An auditor is conducting an integrated audit of internal control with the audit of a nonissuer's financial statements. In applying the top-down approach, the auditor first
Focuses on entity-level controls and then significant classes of transactions, account balances, and disclosures. bc: The top-down approach to evaluating internal control begins at the financial statement level by understanding overall risks, focusing on entity-level controls, and then working down to significant classes of transactions, account balances, and disclosures. Examples of entity-level controls are controls (1) related to the control environment, (2) over management override, (3) to monitor results of operations, (4) over the period-end financial reporting process, and (5) to monitor other controls.
Which of the following is not a role of the risk assessment in an integrated audit of a nonissuer?
Concluding on the effectiveness of a given control. bc: Risk assessment underlies the examination process, including the determination of (1) significant accounts and disclosures, (2) relevant assertions, (3) controls to test, and (4) the evidence necessary to assess the effectiveness of a given control. When an examination of internal control is integrated with an audit of financial statements, the same risk assessment process supports both engagements. But the auditor must test the effectiveness of the design and operation of a control before concluding on its effectiveness.
Firms subject to the reporting requirements of the Securities Exchange Act of 1934 are required by the Foreign Corrupt Practices Act of 1977 to maintain satisfactory internal control. Moreover, the Sarbanes-Oxley Act of 2002 requires that annual reports include (1) a statement of management's responsibility for establishing and maintaining adequate internal control and procedures for financial reporting, and (2) management's assessment of their effectiveness. The role of the registered auditor relative to the assessment made by management is to
Determine whether management's report is complete and properly presented. bc: According to PCAOB AS 2201, the auditor must express (or disclaim) an opinion on the effectiveness of internal control. Moreover, if the auditor determines that elements of management's annual report on internal control over financial reporting are incomplete or improperly presented, the auditor should modify his or her report to describe the reasons for this determination.
Cain Company's management engaged Bell, CPA, to audit the effectiveness of Cain's internal control over financial reporting. Bell's report, which was accompanied by management's separate report presenting its written assessment about the effectiveness of internal control, described several material weaknesses and potential errors and fraudulent activities that could occur. Subsequently, management included Bell's report in its annual report to the board of directors with a statement that the cost of correcting the weaknesses would exceed the benefits. Bell should
Disclaim an opinion as to management's cost-benefit statement. bc: If the assessment accompanying the auditor's report includes a statement that the cost of corrective action exceeds the benefits of implementing new controls, the auditor should include language that disclaims an opinion on the cost-benefit statements as the last paragraph of the report. Also, given material weaknesses, the auditor should express an adverse opinion on the effectiveness of internal control.
The Sarbanes-Oxley Act of 2002 (SOX) requires management of issuers to do all of the following except
Provide a statement that the board approves changes in internal control procedures. bc: SOX imposes many requirements on management, boards of directors, and auditors. Section 404 applies to internal controls and reports on them. Section 404 requires management to establish and document internal control procedures and to include in their annual reports a report on the entity's internal control over financial reporting. The report is to include (1) a statement of management's responsibility for internal control, (2) management's assessment of the effectiveness of internal control as of the end of the most recent fiscal year, and (3) identification of the framework used to evaluate the effectiveness of internal control (such as the COSO report). Because of this requirement, PCAOB AS 2201 states that audit opinions are to be expressed on the effectiveness of those controls and on the financial statements. Section 301 addresses activities of the board but does not require the board to approve changes in controls.
In obtaining an understanding of an issuer's internal control, an auditor does all the following except
Send confirmations to customers. bc: Confirmations to customers are substantive procedures used to test the existence assertion. They are not useful in obtaining an understanding of controls.
The auditor's report expressing an opinion on the effectiveness of an entity's internal control over financial reporting should include all the following except
That the entity's internal control is consistent with that of the prior year after giving effect to subsequent changes. bc: Neither the AICPA's AU-C 940 nor the PCAOB's AS 2201 requires the opinion on the effectiveness of internal control over financial reporting to contain a statement about consistency. Moreover, lack of consistency is not a basis for modification of the standard report.
