Chapter 4 and 5
management at least one level above the people involved
"inconsequential" frauds should be reported to who?
financial statements to be materially misstated
a client's noncompliance with laws and regulations can also cause financial statements to be what?
walkthrough
a combination of inquiry of personnel, observation of an entity's operations, and document examination while tracing a single transaction through the entire audit trail from the beginning or the initiation of the transaction to its final inclusion in the financial statements
internal control deficiency
a condition that exists when the design or operation of a control does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion
significant deficiency
a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance
material weakness
a deficiency, or combination or deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis
relevant assertion
a financial statement assertion that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated
enterprise risk management (ERM)
a process effected by an entity's board of directors, management, and other personnel applied in strategy setting and across the enterprise that is designed to identify potential events that may affect the entity and to manage risks to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives
- title - responsibility of auditors and management - in accordance with PCAOB standards - definition of internal control over ICFR - inherent limitations - opinion - reference to opinion on financial statements - date of report
components of the auditor's report on internal control over financial reporting
- the company's organizational structure and management personnel - the sources of funding of the company's operations and investment activities - the company's significant investments - the company's operating characteristics, including its size and complexity - the sources of the company's earnings, including the relative profitability of key products and services, and key supplier and customer relationships
components of the nature of the company and related parties
- relevant industry, regulatory, and other external factors - the nature of the company and related parties - the effect of client computerized processing - the company's selection and application of accounting principles, including related disclosures - the company's objectives and strategies and those related business risks that might reasonably be expected to result in risk of MM - the company's measurement and analysis of its financial performance
components of understanding the client's business and its environment
the Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (COSO)
consisting of the FEI, AAA, IIA, IMA, and AICPA, group that debated internal control theory and definitions in 1992 and published an updated version in 2013
transaction-level controls
controls that relate to specific classes of transactions, account balances, and disclosures
- appointment, compensation, and oversight of the public accounting firm conducting the entity's audit - resolution of disagreements between management and the audit team - oversight of the entity's internal audit function - approval of nonaudit services provided by the public accounting firm performing the audit engagement
duties of the audit committee
- frauds involving senior managements or employees with internal control roles, along with any frauds that cause material misstatement - should be reported directly to those charged with governance, usually the entity's audit committee or its board of directors
examples of consequential frauds and who they should be reported to
nature: more effective tests timing: testing at year-end extent: more tests with higher sample size
if a lower detection risk is allowed, what does that mean for the nature, timing, and extent of the audit procedures?
enlist the cooperation of management and assist fraud examination professionals when bringing an investigation to a conclusion
if preliminary findings indicate fraud possibilities, what should auditors do?
existence, completeness, and valuation
relevant assertions to accounts recievable
existence, valuation, presentation and disclosure
relevant assertions to cash
control environment
sets the tone of the organization, the foundation for all other components of internal control and is influenced heavily by a company's management team
- periodic evaluation by internal auditing - supervisory review of controls - follow-up of reporting errors - follow up of customer complaints - audit committee inquiries
some common monitoring controls include:
control activities (C in CRIME)
specific actions taken by a client's management and employees to help ensure that management directives are carried out
completeness
starting with a source document and following it forward to the financial statements tests what assertion?
occurrence
starting with the financial report and following it backward to the source document tests what assertion?
detection risk
the likelihood that the auditors' substantive procedures will fail to detect a material misstatement that exists within an account balance or class of transactions
control risk
the likelihood that the client's internal control policies and procedures fail to prevent or detect a material misstatement
board of directors (specifically the audit committee)
the oversight provided to the entity by the ___ __ _____ provides the highest level of monitoring
audit risk
the probability that an audit team will express an inappropriate audit opinion when the financial statements are materially misstated (give an unmodified opinion on FS that are misleading because of material misstatements that the auditors failed to discover)
inherent risk
the probability that in the absence of internal controls, material errors or frauds could enter the accounting system used to develop financial statements
1) have two separate reports (one on the fairness of the entity's financial statements and a separate one on internal control over financial reporting) 2) combined report (one opinion on FS and the second on the effectiveness of ICFR)
two options available for reporting on internal control
accuracy
when repairs and maintenance expenses are recorded as additions to property, plant, and equipment accounts to keep expenses off the income statement, what management assertion is violated?
completeness
when shipments are made to an employee's friend and intentionally never recorded, what management assertion is violated?
cutoff
when shipments made in january (of the next fiscal year) are backdated and recorded as sales in december, what management assertion is violated?
inherent risk other meanings
- the susceptibility of the account to misstatement - a function of the nature of the client's business and strategy to achieve competitive advantage, the major types of transactions, and the effectiveness and integrity of its managers and accountants
1) overstating revenues and assets 2) understating expenses and liabilities 3) giving disclosures that are misstated or that omit important information
3 main ways that companies have caused financial statements to be misstated
- internal control questionnaire - narrative description - flowchart
3 means for documenting the audit team's understanding of internal control
1. authorization to execute transactions 2. recording transactions 3. custody of assets involved in the transactions 4. reconciliation of existing assets to recorded amounts
4 types of responsibilities that should be performed by different departments
- control environment (E) - risk assessment (R) - control activities (C) - monitoring (M) - information and communication (I) CRIME
5 components of a properly designed internal control system
1. planning the engagement 2. using a top-down approach 3. testing controls 4. evaluating identified deficiencies 5. wrapping up 6. reporting on internal control
6 step audit process that is designed to evaluate the effectiveness of the internal control system over financial reporting
internal control
A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting, the effectiveness and efficiency of operations, and compliance with applicable laws and regulations
follow up on suspected violations material to the financial statements
auditor's responsibility for indirect-effect noncompliance
- aggressive attitudes - high turnover - known history of violations - decisions are dominated by an individual or a small group - managers engage in frequent disputes with auditors
Examples of the management characteristics/influences that might indicate increased risk of fraudulent financial reporting
- company profits lag those of its industry - market is saturated due to competition - declining/rapidly changing industry
Examples of industry conditions that might indicate increased risk of fraudulent financial reporting
- weak internal control - insufficient cash flows - pressure to obtain capital - personnel are inexperienced - significant transactions/balances that contain estimates that are difficult to audit - significant and unusual related-party transactions
Examples of operating characteristics and financial stability that might indicate increased risk of fraudulent financial reporting
Completeness
Which assertion are these internal control activities implemented for? - check invoices with shipping document in A/R ledger
Existence
Which assertion are these internal control activities implemented for? - the CFO performs a detailed review of the bank reconciliation on a monthly basis - check sales order and shipping document to make sure sales were earned and a customer owes a balance
Valuation
Which assertion are these internal control activities implemented for? - the treasurer reviews the cash translation adjustment calculation monthly and independently checks that the appropriate spot rate has been used for each foreign currency -management evaluates the collectability of delinquent receivables on a timely basis
extent
_____ of an audit procedure refers to the number of tests performed
nature
______ of an audit procedure refers to the type of procedure (observation, recalculation, inquiry) and the purpose of the procedure (test of controls, substantive procedures)
timing
______ of an audit procedure refers to when the audit procedures will be completed
management's annual report on internal control over financial reporting
a report required by the Sarbanes-Oxley Act that states that management is responsible for establishing and maintaining adequate internal control over financial reporting, identifies the framework management uses to evaluate the effectiveness of the entity's internal control, and provides management's assessment of the effectiveness of the entity's internal control
fraud risk
a special case of the risk of MM related to those situations where management intended to mislead the marketplace by issuing fraudulent financial statements
audit committee
a subcommittee of the board of directors that is generally composed of 3-6 "outside" members of the organization's board of directors
embezzlement
a type of fraud involving employees or nonemployees wrongfully taking money or property entrusted to their care, custody, and control, often accompanied by false accounting entries and other forms of lying and cover-up
- integrity and ethical values of management - board of directors exercising oversight to FR and IC - management supporting ICFR - FR competencies - human resources
a well-functioning internal control environment is characterized by philosophies such as:
- ongoing and separate evaluations to ensure that internal control continues to function over time - reporting deficiencies and identified and communicated corrective action
a well-functioning monitoring system is characterized by:
all members = financially literate one member = financial expert
all members of the audit committee must be _____, and one member must be a ______
significant account or disclosure
an account or disclosure that has a reasonable possibility of containing a material misstatement individually or when aggregated with others regardless of the effect of controls
dual-purpose test
an audit procedure that can be used as both a test of controls and a substantive test
information system
an entity's system, usually built on some type of technological platform that has been designed to produce the information necessary for the entity to operate and control its business operations
defalcation
another name for employee fraud, embezzlement, and larceny, also called misappropriation of assets
business risks
any risks that could adversely affect a company's ability to achieve its objectives and execute its strategies
no, only as it affects the financial statements. They are not responsible to detect all fraud but are responsible to detect cases where fraudulent activity results in materially misstated financial statements
are audit teams concerned with all fraud?
Phase 3: identify controls to test and perform test of controls
at this stage of internal control evaluation, audit teams have already identified specific control activities for relevant assertions on which risk could be assessed below the maximum (100%), which controls the audit team intends to rely
management letters
audit teams often issue these in addition to a internal control report which contains commentary and suggestions on a variety of matters (operational/administrative efficiency, business strategy, profit-making possibilities)
design procedures to provide reasonable assurance
auditor's responsibility for direct-effect noncompliance
1. for public companies, audit and issue an opinion about the effectiveness of internal control over financial reporting (ICFR) 2. evaluate whether control are in place to mitigate each fraud risk 3. assess control risk to determine the nature, timing and extent of substantive procedures to be performed
auditor's responsibility for internal control
incompatible responsibilities
combinations of responsibilities that place a person alone in a position to create and conceal misstatements due to errors or frauds in their normal job
exception testing
designed to identify a violation of a particular control activity through the use of an automated test procedure designed to test all items in a population
DR = AR / (IR x CR)
detection risk equation (also read and know image)
design effectiveness
determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements
nonpublic entity audits don't need to test the operating effectiveness of controls if they are not planning on relying on them, public entity audits are much more extensive
difference between testing the operating effectiveness of internal controls for nonpublic and public entities
IC: opinion on the effectiveness of internal control FS: no opinion on internal control
difference between the reporting of the internal control audit and the financial statement audit
IC: test each relevant control activity each year FS: test relevant control activities if relying on them
difference between the scope of the internal control audit and financial statement audit
the audit of internal control is as of the end of the fiscal year, whereas, for audits of the financial statements, the audit team must understand and evaluate internal control for the entire period
difference between timing for the audit of internal control and audit of financial statements
- industry developments (can't keep up with change) - new products/services (not being successful) - expansion of business (inaccurate demand estimate) - effects of implementing a strategy - financing requirements (loss of financing)
examples of situations in which business risks might result in material misstatement
- the environment in which the company operates (its "control environment") - the existence (or lack thereof) and effectiveness of control activities - monitoring activities (audit committee, internal audit function, etc)
factors affecting control risk
- dollar size of the account (higher = greater chance of fraud) - liquidity (greater = more susceptible) - volume of transactions (higher = greater chance) - complexity of transactions (more complex = greater chance) - subjective estimates (more fraud than objective ones)
factors that are related to the susceptibility of accounts to misstatement or fraud
1. develop an expectation 2. define a significant difference 3. compare expectation with the recorded amount 4. investigate significant differences 5. document each of the preceding steps
five steps to perform when completing analytical procedures
1. inquiry 2. observation 3. document examination 4. reperformance
four methods of testing controls, from least to most persuasive
1. performance reviews 2. separation of duties 3. physical controls 4. information-processing controls
four types of control activities
white-color crimes
fraud perpetrated by people who work in offices and steal with a pencil or from a computer terminal, the contrast is with violent street crime
audit risk is evaluated at both the overall financial statement level (as a whole) and for each significant account and disclosure through a focus on the relevant assertions identified
how is audit risk evaluated?
nature: less effective tests timing: testing at interim extent: fewer tests with lower sample size
if a higher detection risk is allowed, what does that mean for the nature, timing, and extent of the audit procedures?
1) the reporting objectives of the engagement and the nature of the communications required by auditing standards 2) the factors that are significant in directing the activities of the engagement team 3) the results of preliminary engagement activities and the auditor's evaluation risk assessment
in establishing the overall audit strategy, the auditor should take into account:
the closer the procedures are performed to year-end, the more effective they are because there is less chance of a MM occurring between the interim confirmation date and year-end
in reference to the timing of procedures, when are the procedures more effective?
audit committees
independent, outside members of the board of directors (those not involved in the company's day-to-day operations) who can provide a buffer between the audit firm and management, all companies with securities traded on the exchanges are required to have them
- investigations, fines, or penalties - inadequate audit trail - media comment - failure to file tax returns - unusual payments/transactions - excessive sales commissions or agent's fees
indicators of a company's noncompliance
- discussions with engagement personnel - procedures to identify and assess risk - significant decisions during discussion - specific risk identified and audit team responses - explanation of why improper revenue recognition is not a risk - results of audit procedures, particularly procedures regarding management override - other conditions causing auditors to believe that additional procedures are required - communications to management and those charged with governance, such as the audit committee
items that must be documented in the risk assessment process include:
- human error - collusion - deliberate circumvention - management override - cost/benefit analysis (trade-off between the cost and effectiveness of internal controls) - reasonable assurance (the cost of an entity's internal control should not exceed the benefits)
limitations of internal control
low: .1 - .45 moderate: .4 - .7 slightly below max: .6 - .95 max: 1
low, moderate, slightly below the max, and max control risk numerical categories
1. establishing and maintaining adequate internal control over financial reporting 2. assessing and reporting on the effectiveness of internal control over financial reporting
management responsibility for internal control
risk assessment (R in CRIME)
management's identification and analysis of relevant risks to achievement of its objectives
Monitoring (M in CRIME)
management's process that assesses the quality of the internal control's performance over time
- reviewing the board of directors' meeting minutes - making inquiries of key executives - reviewing stock ownership records
methods for identifying related-party transactions
operating deficiency
occurs when a properly designed control is either ignored or inappropriately applied
Phase 1: understand and document the client's internal control Phase 2: Assess the control risk (preliminary) Phase 3: Identify controls to test and perform test of controls
phases of internal control evaluation
authorized personnel
physical access to assets and important records, documents, and blank forms should be limited to who?
detective controls
procedures that detect misstatements after they occur
preventive controls (preferable to detective controls)
procedures that prevent misstatements before they occur (those that ensure hiring competent people, limiting access, requiring approval, separating duties)
to provide a buffer between the audit team and the operating team of the company, which allows the audit team to report any controversial findings to members of the board of directors without fear or reprisal
purpose of the audit committee being composed of mostly independent members
analytical procedures
reasonable tests; auditors compare their expectation for each of the account balances with those recorded by management, procedures that allow auditors to evaluate financial information by studying relationships among both financial and nonfinancial data
operating effectiveness
refers to whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively
design deficiency
relates to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control's objective
audit plan
summarizes all of the important planning information and serves to document that auditors have followed GAAS, lists the audit procedure to be completed for each relevant assertion related to each significant account and disclosure identified on the audit engagement
red flags
telltale signs and indications that have accompanied many frauds that have occurred in the past
fraud
the act of knowingly making material misrepresentations of fact with the intent of inducing someone to believe the falsehood and act on it, and thus, suffer a loss or damage
accounting estimates (ex- valuation of investment securities, NRV of A/R, depreciation, goodwill, pension expense, warranty liabilities)
the approximations of financial statement numbers often included in financial statements
narrative description
the audit documentation that describes the environmental elements, the accounting system, and the control activities in an entity's internal control
flowchart
the audit documentation that provides a visual display of the accounting system and control activities in an entity's internal control system
internal control questionnare
the audit documentation that uses a checklist of internal control - related questions to gain and document an understanding of the client's internal control
extended procedures
the audit procedures used in response to heightened fraud awareness as the result of the identification of significant risks
a material misstatement that was discovered during the previous audit
the best indicator of the risk of a material misstatement in the year under audit is...
risk of material misstatement (RMM)
the combined inherent and control risk; in other words, the likelihood that material misstatements may have entered the accounting system and not been detected and corrected by the client's internal control
vertical analysis
the common-size analysis of financial statement amounts created by expressing amounts as proportions of a common base such as sales for the income-statement accounts or total assets for the balance-sheet accounts
horizontal analysis
the comparative analysis of year-to-year changes in balance sheet and income statement accounts
entity-level controls
the controls that are pervasive to the financial statements taken as a whole
management fraud
the deliberate fraud committed by management that injures investors and creditors through materially misleading information
substantive procedures
the detailed audit and analytical procedures designed to detect material misstatements in account balances and footnote disclosures
fraudulent financial reporting
the intentional or reckless conduct, whether by act or omission, that results in materially misstated financial statements, sometimes used simultaneously with management fraud
audit strategy memorandum
the scope, timing, and direction for auditing each relevant assertion based on the results of the audit risk model, becomes the basis for preparing the audit plan
larceny
the simple theft of an employer's property that is not entrusted to an employee's care, custody or control
integrated audit
the term used to describe both an audit process that is designed to provide an opinion on both the financial statements and the internal control system of an entity
1. financial reporting 2. operations 3. compliance
the three categories of management objectives in which internal control is designed to satisfy
employee fraud
the use of fraudulent means to take money or other property from an employer (usually involves falsifications of some kind, using false documents, lying, exceeding authority, or violating an employer's policies)
indirect-effect noncompliance (ex- violations relating to insider securities trading, occupational health and safety, FDA regulations, environmental protection, equal employment opportunity)
the violations of laws and regulations that does not directly affect specific financial statement accounts or disclosures
direct-effect noncompliance (ex- violations of pension laws or government contract regulations for revenue and expense recognition)
the violations of laws or government regulations by the entity of its management or employees that produce direct and material effects on dollar amounts in financial statements
related parties
those individuals or organizations that can influence or be influenced by decisions of the company, possibly through family ties or investment relationships
significant risks (fraud risks are always significant)
those risks that require special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk
1. Management's characteristics and influence 2. Industry conditions 3. Operating characteristics and financial stability
three categories of factors that might indicate increased risk of fraudulent financial reporting
1) the fraudulent act 2) the conversion of the funds or property to the fraudster's use 3) the cover-up
three phases of employee fraud
1. unqualified (no material weaknesses exist) 2. disclaimer (unable to determine whether material weaknesses exist) 3. adverse (one or more weaknesses exist
three types of opinions for internal control
1) testing all items in a population (uses exception testing) 2) testing a sample from a population (must include all occurrences of the relevant control activity for the entire period, and must be representative)
two approaches for selecting items for tests of internal controls
document examination
type of test for internal control: involves evidence of signatures, initials, checklists, reconciliations
observation
type of test for internal control: occurs when auditors have eyewitness observation of employees at their jobs performing control activities (ex- use of password-secured access, locked doors, security guards)
reperformance
type of test for internal control: the auditor would follow up on each reconciling item reviewed by the CFO and then reperform each of the mathematical calculations
inquiry
type of test for internal control: used to find about the existence of control activities and then corroborate the oral evidence by observing that the client-described control activities are actually being performed
general business sources - specialized trade magazines and journals (Forbes, Fortune, WSJ) - specific info about public companies found in registration statements and 10-K reports filed with the SEC company sources - corporate charter and by laws - contracts, agreements, and legal proceedings - minutes of meetings
types of general business and company sources used for gathering info and preliminary analytical procedures
errors
unintentional misstatements or omissions of amounts or disclosures in financial statements
- the internal control system is too ineffective in preventing misstatements to rely upon to justify reductions in substantive testing - it may take more time to test controls than it would to just perform more substantive testing (auditors of public companies must test controls)
what are the reasons as to why an auditor may not choose to test controls?
- made it so auditors must inform the organization's board of directors when they believe an illegal act more than "clearly inconsequential" has or may have occurred
what did the Private Securities Litigation Reform Act of 1995 do?
to obtain the evidence needed to determine whether "related parties and relationships and transactions with related parties have been properly identified, accounted for, and disclosed in the financial statements"
what is the auditor's primary objective in regard to related parties?
- build personal working relationships - observe the competence and integrity of client personnel - obtain a general understanding of the client or company - probing for problem areas that could harbor financial misstatements
what is the purpose of interviewing the entity's management, internal auditors, directors, audit committee and other employees?
- critical areas are discussed - first objective: update audit team members on important aspects of the audit and heighten team members' awareness of the potential fraud and errors - second objective: set a proper tone for the engagement
what occurs during a required brainstorming session during the risk assessment process?
performance reviews
what type of control activity requires management's active participation in the supervision of operations, such as management's study of budget variances with follow-up action?
there's an inverse relationship between detection risk and RMM - the greater the risk of MM, the lower the detection risk that auditors could allow in order to maintain the level of audit risk with which they feel comfortable)
what type of relationship exists between detection risk and RMM?
control risk - they cannot create or manage control risk - they can only evaluate an entity's internal control system and assess its magnitude in an appropriate manner
what type of risk do auditors have no effect on?
1) the likelihood and 2) materiality that a potential (or actual) misstatement would not be detected on a timely basis
what's the difference between a significant deficiency and a material weakness?
accuracy
when a company "short ships" a shipment to a customer and bills the customer for the full amount ordered, what management assertion is being violated?
classification
when a loan to a company's CEO (not permitted under Sarbanes Oxley) is classified as an account receivable to conceal the transaction, what management assertion is violated?
occurrence
when fictitious sales are recorded and charged to nonexistent customers, what management assertion is violated?
presentation and disclosure
when management fails to disclose litigation against the company, what management assertion is violated?
1. occurrence 2. accuracy 3. completeness
which financial statement assertion is supported by these information processing controls? 1. purchase orders must be authorized by purchasing department before any purchase is made 2. all invoices received from vendors for payment must be matched to receiving report and purchase order to ensure that the quantity billed agrees with the quantity ordered and received at previously agreed-upon prices 3. prenumbered documents must be used and accounted for to ensure that all transactions have been recorded
Phase 1: understand and document the client's internal control
which phase of internal control evaluation involves obtaining an overall acquaintance with the control environment and management's risk assessment, the flow of transactions through the accounting system, and the design of some client control activities?
Phase 2: assess the control risk (preliminary)
which phase of internal control evaluation involves the audit team members establishing an assessment of the level of control risk and identifying control strengths and weaknesses?
- addressed to management, the board of directors, or the audit committee - for public entities, the auditors' report must be in writing and presented to those in charge of governance (usually the audit committee) before their report on internal control over financial reporting is issued to the public
who is the internal control report to be issued to?