Ch 4: Management Fraud and Audit Risk

¡Supera tus tareas y exámenes ahora con Quizwiz!

enterprise risk management (ERM)

"a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

an asset amount that can be investigated and found to be false or questionable. the matter of finding and investigating the dangling credit is normally very difficult. It "dangles" off the books.

"dangling debit" theory

company sources

(1) reviewing the corporate charter and bylaws or partnership agreement, (2) reviewing contracts, agreements, and legal proceedings, and (3) reading the minutes of the meetings of directors and committees of the board of directors are all examples of what source of information for assessing risk

set a proper tone for the engagement

A secondary objective of the brainstorming discussions during risk assessment is to....

preliminary

According to auditing standards, analytical procedures must be applied in the ____stages of each audit.

1. direct effect noncompliance 2. indirect effect noncompliance

Auditing standards deal with what two types of noncompliance

1. Discussions with engagement personnel 2. Procedures to identify and assess risk 3. Significant decisions during discussion 4. Specific risks identified and audit team responses. 5. Explanation of why improper revenue recognition is not a risk. 6. Results of audit procedures, particularly procedures regarding management override 7. Other conditions causing auditors to believe that additional procedures are required. 8. Communications to management and those charged with governance, such as the audit committee.

Auditors must carefully document the risk assessment process in the workpapers to provide a record of the procedures performed. Items that must be documented include these:

1. develop an expectation 2. define a significant difference (percent difference that is considered reasonable) 3. compare expectation with recorded amount 4. investigate significant differences 5. document each of the preceding steps

Auditors should perform what five steps when completing analytical procedures

nature, timing, extent

Based on the allowable or planned level of detection risk (which is based on the assessment of IR and CR), auditors modify the ___, the ______, and the _____of further audit procedures.

fraudulent financial reporting

Because management fraud usually takes the form of deceptive financial statements, management fraud is sometimes referred to as....

2, 2

Because of the double-entry bookkeeping system, fraudulent accounting entries always affect at least ____ accounts and ____ places in financial statements.

general business source

Bloomberg Businessweek, Forbes, and Fortune are examples of what source of information for assessing risk

yes

Can an external auditor withdraw from an engagement if management and directors do not take satisfactory action after being notified of noncompliance?

embezzlement, larceny

Employee fraud can be classified as either _____ or ______.

1. the fraudulent act 2. the conversion of funds or property to the fraudster's use 3. the cover-up

Employee fraud consists of what three phases?

(1) the reporting objectives of the engagement and the nature of the communications required by auditing standards, (2) the factors that are significant in directing the activities of the engagement team, and (3) the results of preliminary engagement activities and the auditor's evaluation risk assessment.

In establishing the overall audit strategy, the auditor should take into account (3)

1. industry & external factors 2. nature of company 3. accounting principles and disclosures 4. objectives and strategies 5. measurement and analysis of financial performance

In the first step in the risk assessment process where you understand the company and its environment, what 5 things do you need to know

control

Managers build in controls to prevent errors in financial statements from happening, but they may not function as intended. this is known as ____ risk

1. company's organizational structure and management personnel 2. the sources of funding of the company's operations and investment activities 3. the company's significant investments 4. the company's operating characteristics, including its size and complexity 5. The sources of the company's earnings, including the relative profitability of key products and services, and key supplier and customer relationships.

Obtaining an understanding of the nature of the company includes understanding (5)

inherent risk, control risk

Risk of material misstatement (RMM) is comprised of.... (2)

business risks

Risks that could adversely affect companies' ability to achieve objectives and execute strategies are called....

1. internal environment 2. objective setting 3. event identification 4. risk assessment 5. risk response 6. control activities 7. information and communication 8. monitoring.

The ERM framework is composed of what eight elements

1, SEC

The Private Securities Litigation Reform Act of 1995 imposed another reporting obligation that when auditors believe an illegal act that is more than "clearly inconsequential" has or may have occurred, the auditors must inform the company's board of directors. when the auditors believe the illegal act has a material effect on the financial statements, the board of directors has ______ business day(s) to inform the ____

inform the organization's board of directors

The Private Securities Litigation Reform Act of 1995 imposed another reporting obligation that when auditors believe an illegal act that is more than "clearly inconsequential" has or may have occurred, the auditors must.....

detection risk

The likelihood that an error or fraud will not be caught by the auditor's procedures

effectiveness

The nature of the procedures refers to the overall ____ of further audit procedures in detecting misstatements.

significant, relevant disclosures

Using the audit risk model, the auditor adjusts detection risk for _____ accounts and _____

"The auditors communication with those charged with corporate governance"

What is SAS 114

Focuses on direct effect illegal acts

What is SAS 54

Consideration of fraud in a financial statement audit - must specifically assess the risk of material misstatement due to fraud for every engagement

What is SAS99?

SEC form that requires an explanation of an organization's change of auditors

What is form 8-k

preliminary analytical procedures

When completing _______, auditors are required to develop an expectation about what an account balance should be and then compare that expectation to the recorded balance. When doing so, auditors typically use the prior-year balances as the starting point for their expectation for each account balance.

if noncompliance is "clearly inconsequential," and has impact on FS

When must an auditor respond to a client's noncompliance or suspected noncompliance?

matrix approach

When risk is measured qualitatively, how do firms multiply words to assess risk?

inherent

You can think of this risk as the susceptibility of the account to misstatement.

Business risk

_____ assessment makes auditors much more knowledgeable about their client's business and its environment. We should note that, even when taking a top-down approach that starts with an understanding of the risks faced by the client in executing its strategy within the industry, the audit team ultimately still has to focus its procedures on the key accounts and management assertions

business

a detailed understanding of the client's ______ risk is a precursor to assessing audit risk.

enterprise risk management (ERM)

a framework such as the one developed by the Committee of Sponsoring Organizations (COSO) to facilitate the assessment and mitigation of business risks that the entity faces.

Interviewing the entity's management, internal auditors, directors, the audit committee, and other employees

a required audit process that can bring auditors up to date on changes in the business and the industry. Such inquiries of client personnel have the multiple purposes of building personal working relationships, observing the competence and integrity of client personnel, obtaining a general understanding, and probing for problem areas that could harbor financial misstatements.

embezzlement

a type of employee fraud involving employees or nonemployees wrongfully misappropriating funds or property entrusted to their care, custody, and control, often accompanied by false accounting entries and other forms of deception and cover-up.

1. gather info from client acceptance and retention evaluation, audit planning, past audits and other engagements 2. perform analytical procedures 3. brainstorming 4. inquire of audit committee, management and others

after assessing internal controls over financial planning in the risk assessment process, what 4 things must be done to consider the risk of fraud (first 4 steps of 7)

significant accounts or disclosures

an account or disclosure that has a reasonable possibility of containing a material misstatement regardless of the effect of controls.

reasonableness

analytical procedures are _____ tests; auditors compare their expectation for each of the account balances with those recorded by management.

defalcation

another name for employee fraud, embezzlement, and larceny. Auditing standards also call it misappropriation of assets.

management

any fraud committed by _______ no matter how small is material

accounting estimates

approximations of financial statement numbers that are often included in financial statements.

no

are audit teams concerned with fraud that does not affect the financial statements?

yes

are auditors required to respond to a subpoena issued by a court or other agency (due to client confidentiality)

independent, outside members of the board of directors (those not involved in the company's day-to-day operations) who can provide a buffer between the audit firm and management.

audit committees are composed of...

1. inherent risk 2. control risk 3. detection risk

audit risk can be broken down into....

financial statements as a whole, each relevant assertion for significant accounts and disclosures

audit risk is evaluated for both the _____ and for _____

fraud risk

auditing standards require that auditors must presume that improper revenue recognition is a _____

significant

by definition, fraud risks are all _____ risks

no, it is conceptual

can auditors calculate the exact level of DR?

no

can auditors place complete reliance on internal controls to the exclusion of other audit procedures?

more

complexity of the transactions: does being more or less complex lead to higher percentage of errors?

risk response

component of the ERM framework that addresses how the organization will prevent or respond to the adverse conditions if they actually occur. The responses include management policies and procedures to eliminate, mitigate, or compensate for the risks identified.

control activities

component of the ERM framework that are policies and procedures to ensure that risk responses are appropriate given the circumstances and environment in which the organization operates.

monitoring

component of the ERM framework that includes regular management and supervisory activities over risk management activities to make sure they remain in place and operate effectively. (internal audit groups)

objective setting

component of the ERM framework that is management's responsibility to determine the goals and objectives of the organization.

internal environment

component of the ERM framework that is the "risk consciousness" of the organization and includes the organization's risk management philosophy and "risk appetite," its integrity and ethical values, and the environment in which it operates.

event identification

component of the ERM framework that is the identification of conditions and events that could adversely affect management's objectives. Supplier problems, poor weather conditions that can affect the trucks supplying the stores, and information system breakdowns are just several of the events that could adversely affect Walmart's ability to keep its stores' shelves stocked.

risk assessment

component of the ERM framework that is the systematic process for estimating the likelihood of adverse conditions occurring. Risks are assessed in terms of both likelihood and impact.

Information and communication

component of the ERM framework that links all components of the ERM. I

management fraud

deliberate fraud committed by management that injures investors and creditors through materially misstated information.

yes

do different types of accounts have different levels of risk for the same assertions (existence, valuation, etc)

yes

do professional auditing standards require auditors to let financial statement users know whether they have substantial doubts as to whether the client will able to survive into subsequent periods?

no, except that it should be "appropriately" low.

does the audit profession have an official standard for acceptable level of audit risk?

higher

dollar size of the account: does a higher account balance lead to a lower or greater chance of having errors or fraud in the account

yes

due to the fact that auditors are required to keep client information confidential, under AICPA auditing standards, can limited disclosures to outside agencies of frauds and clients' noncompliance be permitted.

horizontal analysis

during analytical procedures, many auditors start with comparative financial statements and calculate year-to-year changes in balance-sheet and income- statement accounts. this is known as....

vertical analysis

during analytical procedures, this is when auditors calculate common-size statements in which financial statement amounts are expressed as percent- ages of a base, such as sales for the income-statement accounts or total assets for the balance-sheet accounts

1. dollar size of the account 2. liquidity 3. volume of transactions 4. complexity of the transactions 5. subjective estimates

factors that have been suggested as being related to the susceptibility of accounts to misstatement or fraud (5)

10%, 100,000$

for companies that have not undergone any significant changes in operations, current year recorded amounts should be fairly similar to those of prior year. Because changes are not expected, auditors can identify any changes more than ______% AND _______$ as deserving additional attention

audit risk

giving an unmodified audit opinion when unknown material misstatements (whether due to errors, frauds, or noncompliance with laws or regulations that directly affect the financial statements) actually exist in the statements causes what type of risk?

vague, implausible, or inconsistent responses to inquiries can be a key indicator of the pervasiveness of the fraud. Similarly, problematic or unusual reactions such as refusal to cooperate, hostility, or management delays in responding to the auditors are often present in financial statement frauds.

how can management's response to follow up question be a key source of evidence

generally by examining more evidence

how can the auditor affect detection risk?

reviewing the board of directors' meeting minutes, making inquiries of key executives, and reviewing stock ownership records (5 percent ownership in the company is usually used as a good cutoff).

how do auditors identify related party relationships and transactions? (name a few methods) (3)

1. within one business day give the SEC the same report they gave the board of directors OR 2. resign from the engagement and, within one business day, give the SEC the report. If the auditors do not fulfill this legal obligation, the SEC can impose a civil penalty (e.g., monetary fine) on them.

if an auditor reports an illegal act that has a material effect on the financial statements to the board of directors and they board does not inform the SEC, the auditors must.... (2)

8-k

if the audit firm resigns or is fired for reporting client's fraud to an outside entity, the firm can cite these matters in the letter attached to SEC Form....

no, detection risk depends on and is planned for based on the assessment of the other risk factors.

is detection risk an independent judgement?

greater

liquidity: does greater or smaller account liquidity lead to being more susceptible to fraud?

relevant assertions

management assertions that have a reasonable possibility of containing material misstatements without regard to the effect of controls

direct effect noncompliance

noncompliance that produces direct and material effects on financial statement amounts (e.g., violations of tax or pension laws or government contracting regulations for cost and revenue recognition) that require the same assurance as errors and frauds (i.e., auditors must plan their work to provide reasonable assurance there are no material misstatements),

indirect effect noncompliance

noncompliance which refers to violations of laws and regulations that are not directly connected to financial statements (e.g., violations relating to insider securities trading, occupational health and safety, food and drug administration regulations, environmental protection, and equal employment opportunity).

extent

refers to the number of tests performed

timing

refers to when the further audit procedures take place.

audit risk (AR) = inherent risk (IR) x control risk (CR) x detection risk (DR)

risk model formula

general business sources, company sources, information from Client Acceptance or Continuance Evaluation, Audit Planning, Past Audits, and Other Engagements, preliminary analytical procedures

sources of information for assessing risks includes (4)

more

subjective estimates: do subjective measurements have more or less errors and fraud than objective measurements?

fraud

the act of knowingly making material misrepresentations of fact with the intent of inducing someone to believe the falsehood and act on it and, thus, suffer a loss or damage.

information risk

the probability that the information distributed by an entity will be materially false and misleading

brainstorming

the risk assessment process includes required audit team _____ sessions in which critical audit areas are discussed.

audit strategy memorandum

the scope, timing, and direction for auditing each relevant assertion based on the results of the audit risk model

employee fraud

the use of fraudulent means to misappropriate funds or other property from an employer. It usually involves falsifications of some kind: using false documents, lying, exceeding authority, or violating an employer's policies.

detection risk

there is an inverse relationship between RMM and ______ risk (the greater the risk of material misstatement, the lower the detection risk that auditors could allow in order to maintain the level of audit risk with which they feel comfortable.)

related parties

those individuals or organizations that can influence or be influenced by decisions of the company, possibly through family ties or investment relationships

significant risks

those risks that require special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk.

avoid it, control it and share it (can also just accept it)

three basic ways that management can mitigate risk are (3)

white collar crime

type of crime that is the misdeeds of people who wear ties to work and steal with a pencil or a computer terminal.

larceny

type of employee fraud that is simple theft; for example, an employee misappropriates an employer's funds or property that has not been entrusted to the custody of the employee.

errors

unintentional misstatements or omissions of amounts or disclosures in financial statements.

higher

volume of transactions: does a higher or lower volume in transactions lead to a higher percentage of errors or fraud?

examining more transactions, performing extended procedures, including targeting tests toward higher risk areas, performing more tests of transactions at year-end rather than at interim points, and gathering higher quality evidence.

what are some responses to significant risks? (5)

1. invalid transactions are recorded 2. valid transactions or disclosures are omitted from the FSs 3. Transaction or disclosure amounts are inaccurate 4. transactions are classified in the wrong accounts 5. transaction accounting an posting are incorrect 6. transactions are recorded in the wrong period 7. disclosures are incomplete or misleading

what are the 7 categories of misstatements

assess risk factors, respond (re substantive procedures, specialists, etc), communicate

what are the last three steps of the risk assessment process?

auditors view all activities in a client's organization first in terms of risks that threaten the attainment of strategies and objectives and then in terms of management's plans and processes to mitigate the identified risks (for example, by using the ERM framework).

what is a top-down approach to risk assessment?

limited to performing specified audit procedures that may identify noncompliance with those laws and regulations that may have a material effect on the financial statements, making inquiry of management and those charged with governance, and inspection of correspondence with relevant licensing or regulatory authorities

what is an auditor's responsibility for detecting indirect-effect noncompliance?

understand the company and its environment

what is the first step in the risk assessment process?

understand internal control over financial reporting

what is the second step in the risk assessment process?

information from client acceptance and retention evaluation, audit planning and other engagements

what is the third step in the risk assessment process?

cash flow analysis

what time of analysis is good for detecting issues regarding going concern?

inherent

when results of events and transactions are recorded through information processing where errors and frauds can occur resulting in misstated financial statements, this is _____ risk

going concern (whether the company can remain a going concern)

whether the client will able to survive into subsequent periods is called _____

directly to those charged with governance, usually the entity's audit committee of its board of directors. (never inconsequential and should be reported)

who should frauds involving senior managers or employees with significant internal control roles (along with any frauds that cause material misstatement in the financial statements) be reported to?

management at least one level above the people involved

who should minor frauds be reported to?

no

with the risk model/ formula, can auditors estimate inherent risk to be zero and omit other evidence-gathering procedures? AR = IR (=0) x CR x DR = 0


Conjuntos de estudio relacionados

Fourozan (4th Edition)--Chapter 3

View Set

Intrapartum complications Exam 1

View Set

How the media affects your body image.

View Set

Solutions Architect - Associates - BH

View Set

Psych Therapeutic Relationships Prep U

View Set

Patho Test 7 practice Q's Endocrine

View Set