AUD Chap 7

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

True or false: When obtaining an understanding of the control environment, it is important that auditors focus on the substance of controls, rather than their form.

TRUE;Controls may be in place that are not enforced.

The Sarbanes-Oxley Act of 2002 requires public companies to provide reports on internal control by

management and auditors

PCAOB

Requires that annually some evidence regarding operating effectiveness should be obtained

In the consideration of internal control, the operating effectiveness of controls is tested by:

test of contols

Data analytics may be used ______ to certain sampling tests.

either as a supplement or an alternative

The existence of __that serve(s) as the standards or benchmarks to measure and present the subject matter is essential to performing an attest engagement.

suitable criteria

Controls that assess whether other transaction control activities are operating properly and are usually focused on high risk transactions are called ______ controls.

supervisory

After documenting internal control, auditors typically perform a(n) - , __which traces one or two transactions through each step in the cycle.

walk-through

Auditors' Overall Approach as it Relates to Internal Control

Overall approach of an audit: 1. Plan the audit. 2. Obtain an understanding of the client and its environment, including internal control. 3. Assess the risks of material misstatement and design further audit procedures. 4. Perform further audit procedures. 5. Complete the audit. 6. Form an opinion and issue the audit report. Steps 2-4 relate most directly to the role of internal control in financial statement audits.

True or false: The general approach to increasing evidence from a test of control is to increase the extent of the test, except in the case of automated controls.

TRUE

While obtaining an understanding of the other control components, auditors generally obtain some knowledge about the client's

control activities

Because of cost considerations, internal control is designed to provide__assurance, not absolute assurance.

reasonable

Controls that assess whether other transaction control activities are operating properly and are usually focused on high risk transactions are called

supervisory controls

Tests of controls address ______.

how controls were applied the consistency with which controls were applied by whom or by what means the controls were applied

Deficiencies that are less than significant are generally communicated in a(n)

management letter

Service Organizations 3

Types of Service Auditor Reports: • Type 1—Management's description of the system and the auditor's assessment of the suitability of the design of controls. • Type 2—Attributes of 1, plus assurance on the operating effectiveness of controls. • A Type 2 report may provide the user auditor (user of report) with a basis for assessing control risk below the maximum.

In an audit of internal control, if one or more material weaknesses in internal control are identified a(n) ______ opinion should be issued.

adverse

Which of the following is not a COSO component of internal control?

board oversight

Clear guidance that will allow proper and uniform handling of transactions and events is provided by an accounting information system's ______.

chart of accounts policies and procedures manual

The auditor's report on internal control under PCAOB standards expresses an opinion on whether the ______.

company maintained, in all material respects, effective internal control over financial reporting

Before performing tests of controls to determine whether they are operating effectively, auditors must first ______.

identify the controls likely to prevent or detect material misstatements

To increase the evidence from a test of control, the number of items tested should be increased for ______.

non-automated controls only

External auditors can use the work of internal auditors to ______.

provide direct assistance to the external auditors provide audit evidence based on their normal internal audit work

True or false: Auditors test the design of controls immediately after determining if they operate effectively.

FALSE; If the design is not effective, it makes no sense to test whether the controls operate effectively.

The Foreign Corrupt Practices Act was passed to

require organizations to maintain an effective system of internal control prevent payments of bribes and kick-backs to officials in foreign businesses

In making a judgment about the extent of the understanding of ___necessary, auditors should realize the information will be used to identify types of potential misstatements and consider factors that affect the risks of material misstatement.

internal controls

A symbolic representation of a series of procedures with each procedure shown in sequence is an example of a systems

flowchart

Specific authorization occurs when transactions are authorized on an individual basis while ___authorization occurs when management establishes criteria for acceptance of a certain type of transaction.

general

Transaction-level controls may be broken down into two categories:

general control activities and application controls

Auditors understanding of internal control should include not only the design of controls but also whether they

have been implemented

Auditors typically use a management letter to communicate deficiencies that are ______ than significant.

less

When auditors consider internal control design to be strong, they need to determine whether the control has been implemented which normally involves ______.

observing the procedure

In an internal control audit, tests of th___ of controls are used to determine whether the controls function as designed and if the individuals performing the controls possess the necessary authority and qualifications.

operating effectiveness

Tests of controls ordinarily are designed to provide evidence of:

operating effectiveness

Internal control practices that can help strengthen internal control in small companies include ______.

recording all cash receipts immediately using prenumbered checks only issuing checks after matching approved invoices with purchase orders and receiving reports

A policy requiring the preparation of a monthly bank reconciliation is an example of a

detective control

Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes?

Confirmation

When assessing an internal auditor's objectivity, an independent auditor should:

Consider the policies that prohibit the internal auditor from auditing areas where relatives are employed in key management positions.

Tests of controls do not address:

How controls were originated.

What is the primary reason that auditors' assess internal control?

To determine the risk of misstatements of accounts.

If the test of controls results indicate the controls are not operating as effectively as planned, the assessed level of control risk needs to be ______ the planned assessed level.

higher than

For public companies, auditors are required to perform a(n) __audit that addresses both the financial statements and internal control.

integrated

In comparison to financial statement audits, auditors who perform integrated audits typically perform ______.

more audit procedures directed toward testing the effectiveness of internal control

This component of internal control assesses the quality of internal control performance over time.

monitoring

In general, auditors want evidence on operating effectiveness throughout the audit, so they ______ the year.

sample throughpout

A company operates an oil refinery. To reduce risk the company has decided to implement significant controls over safe operations. This is an example of:

risk reduction

The acceptable level of variation in performance relative to the achievement of objectives is called

risk tolerance

Accounting estimates are particularly difficult for management to control and often have a high risk of material misstatement because of the ______ estimates.

subjective nature of assumptions needed to make complexity of

Tests of controls are generally performed ______.

throughout the year

Preventive control

Choice, Aimed at avoiding the occurrence of misstatements Aimed at avoiding the occurrence of misstatements

Which of the following is not an advantage of establishing an enterprise risk management system within an organization?

Eliminates all risks.

True or false: The auditors should obtain an understanding of the client's processes for eliminating business risks.

FALSE; The auditors should obtain an understanding of the client's processes for identifying and responding to these risks, not eliminating them.

This document clearly describes the entity's methods of treating transactions which provides employees guidance that allows for proper and uniform handling of transactions.

Manual of accounting policies and procedures

Policies and procedures that help mitigate the risk that the organization's objectives are not met are called control

activities

The basic principles of the control environment include all of the following :

commitment to integrity and ethical values commitment to attract, develop, and retain competent employees effective board of directors

When internal auditors provide direct assistance to external auditors in preparing working papers and performing certain audit procedures, external auditors should ______.

direct, supervise, review, and test the work

Auditors use their understanding of which internal control component to identify risks of material misstatement that relate directly to the recording of transactions such as the recording of routine transactions like revenue?

information system

In addition to the typical journals, ledgers, and other record-keeping devices, a chart of accounts and manual of accounting policies and procedures should be included in an accounting__

information system

he risk of misstatement is composed of:

inherent risk and control risk

Management needs to assess risks that threaten their ability to meet their objectives in the areas of

operations, reporting, and compliance

The preliminary assessments of control risk are often referred to as the

planned assessed level of control risk

Control Objectives

In each area of internal control (reporting, operations and compliance). • Control objectives, and • Sub-objectives. Example: Area of reporting: • Top level objective - prepare and issue reliable financial information. • Detailed level applied to accounts receivable sub-objectives. • All goods shipped are accurately billed in the proper period. • Invoices are accurately recorded for all authorized shipments and only for such shipments. • Authorized and only authorized sales returns and allowances are accurately recorded. • The continued completeness and accuracy of accounts receivable is ensured. • Accounts receivable records are safeguarded.

Documenting the Understanding of Internal Control

Questionnaires. • Typically standardized by firm or industry. Written Narratives. • Memos that describe flow of transactions and controls. Flowcharts. • Systems flowcharts.

Use of the Work of Internal Auditors

Work of Internal Auditors may be used in two ways: • Obtaining audit evidence by using the internal auditors' work performed as a part of their normal responsibilities, and • Using internal auditors to provide direct assistance on the external audit.

Auditors use their understanding of internal control to do all of the following except ______.

assess detection risk for use in the audit risk model DOES: consider factors that affect risks of material misstatements dentify types of potential misstatements design tests of controls and substantive procedures

reduction risk

managing the risk or adding additional controls to process it

Segregation of duties is a

preventative control

COSO's definition of internal control emphasizes that it is a(n)__ or a means to an end

process

Service Organizations 1

• Computer service organizations provide processing services to customers who decide not to invest in their own processing of particular data. • Examples: Outsource processing of payroll or Internet sales; storage of data and records in the service organization's Cloud.

Limitations of Internal Control

• Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. • Controls that depend on the segregation of duties may be circumvented by collusion. • Management may override internal controls. • Compliance may deteriorate over time.

Auditors perform tests of controls to obtain evidence about operating

effectiveness of controls

External auditors should assess the ___ (proficiency and training based on education, experience, and professional certifications) and ___(ability to perform their duties free from conflicting responsibilities or constraints) of the internal audit function before relying on their work.

competance; objectivity

Segregation of duties is an aspect of which of the following components of internal control?

control activity

acceptance risk

matches Choice, taking no action taking no action

When comparing a financial statement audit with an integrated audit, the procedures used to gain an understanding of internal control are ______.

the same

Controls Over Accounting Estimates

1. Control environment policies and procedures that encourage proper estimates. 2. Risk assessment consideration of the risks of inaccurate accounting estimates. 3. Policies that ensure that qualified personnel are involved in developing the estimates. 4. Policies and procedures that ensure that relevant, sufficient and reliable data is considered in the development of the estimates, and the model used is appropriate. 5. Management review of sources of data, processes used to develop the assumptions, changes in the methods used, and the reasonableness of assumptions and estimates. 6. Policies to ensure use of the work of specialists when considered necessary. 7. Policies to improve estimation processes by comparison of prior estimates with subsequent results.

Relationships Among Deficiencies

=Less than significant> significant deficiency> material weakness =Significant deficiency =Material weakness

Classification of Controls over Financial Reporting

Preventive: • Aimed at avoiding the occurrence of misstatements in the financial statements. • Example: Segregation of duties. Detective: • Designed to discover misstatements after they have occurred. • Example: Monthly bank reconciliations. Corrective: • Needed to remedy the situation uncovered by detective controls. • Example: Backups of master file used to reconstruct erroneous records. Controls overlap: • Complementary - function together. • Redundant - address same assertion or control objective. • Compensating - reduces risk existing weakness will result in misstatement.

Approach to Audit of Internal Control under Section 404b

This section applies to public companies with a market capitalization of $75 million or more. For those companies, the auditors audit internal control as a part of an integrated audit. In doing so, the auditors: • Plan the engagement. • Use a top-down approach to identify the controls to test. • Test and evaluate design effectiveness of internal control. • Test and evaluate operating effectiveness of internal control. • Form an opinion on effectiveness of internal control over financial reporting.

Auditors identify the company's control objectives and risks in each financial reporting area and then identify relevant controls that satisfy each control objective when testing design

effectiveness

AICPA standards require that tests of controls be performed ______ audit.

every thrird

After assessing the risks of material misstatement, auditors should design further audit procedures such as substantive procedures and tests of controls if planned assessed level of control risk is ______.

low

A deficiency in internal control over financial reporting (or combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis is a(n)

material weakness

In an audit of a small company, the auditor typically performs ______ internal control.

more substantive procedures because of the absence of strong

Risks at the financial statement level ______.

require considerable judgment for the auditor potentially affect many relevant assertions

When the assessed level of control risk is low, the auditor should ______.

restrict substantive procedures for that assertion

The nature of transactions

Consider the nature of the transactions: • Routine transactions—for example, regular revenue, purchases, and cash receipts and disbursements. • Non-routine transactions—for example, taking of inventory, calculating depreciation expense. • Estimation transactions—for example, determining the allowance for doubtful accounts. Generally routine transactions have the strongest controls.

Which of the following is of particular significance to corporate governance?

Control environment

3. Assess the risks of material misstatement

General approach: • Identify risks while obtaining an understanding of the client and its environment, including its internal control. • Relate the identified risks to what can go wrong at the relevant assertion level. • Consider whether the risks are of a magnitude that could result in a material misstatement. • Consider the likelihood that the risks could result in a material misstatement.

Ongoing evnluation

Monitoring customer complaints

Corrective control

Needed to remedy a situation after a misstatement is discovered

Obtaining the Understanding

Procedures include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting (System Walkthrough). May also obtain evidence on operating effectiveness of various controls.

AICPA and International Auditing Standards

Require that test of controls be performed at least every third audit

When auditors assess risk at the__ assertion level instead of the financial statement level, they consider both the design of the control and its implementation.

relevant

An integrated audit requires the auditors to test controls for all ______.

relevant assertions about major accounts

The controls that are most relevant to an audit are those that pertain to the

reliability of financial reporting

Which of the following is NOT a reason that internal control can only provide reasonable assurance from fraud and waste?

All designed controls to address fraud and waste are adopted.

In an integrated audit, auditors use a ______ approach in the internal control audit.

top-down

Assessing Risks at the Assertion Level

Examples: • Failure to recognize an impairment losses on a long-lived assets affects only the valuation assertion. • Inaccurate counting of inventory at year-end affects the valuation of inventory and the accuracy of cost of goods sold. Responses: • Decisions are made here as to the appropriate combination of tests of controls and substantive procedures that respond specifically to the risk.

4. Perform Further Audit Procedures - Test of Controls 2

Tests of controls include: • Inquiries of appropriate client personnel. • Inspection of documents and reports. • Observation of the application of controls. • Reperformance of the controls. The results of the tests of controls are used to determine the nature, timing and extent of substantive procedures.

Performance reviews are an integral part of which component of internal control?

control activities

A situation in which the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect material misstatements on a timely basis is referred to as a:

control deficiency

Section 404 of the Sarbanes-Oxley Act requires public companies to provide reports on internal control by ______.

management external auditors

For a corporation, the major components of corporate governance include all of the following except

management of the company INCLUDES: External auditors BOD audit comittee

A deficiency in internal control over financial reporting (or combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis is a__

material weakness

Regarding deficiencies and weaknesses in internal control, auditing standards require auditors to communicate in writing ______.

material weaknesses significant deficiencies

Control Environment Factors

• Commitment to integrity and ethical values. • Board of directors demonstrates independence from management and exercises oversight of internal control. • Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. • Commitment to attract, develop, and retain competent employees. • Holding employees accountable for internal control responsibilities.

Internal Control Definition

A process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity's) objectives relating to: • Operations. • Reporting, and • Compliance.

4. Perform Further Audit Procedures - Test of Controls 1

Approach: • Identify controls likely to prevent or detect material misstatements. • Perform tests of controls to determine whether they are operating effectively. Tests of controls address: • How controls were applied. • The consistency with which controls were applied • By whom or by what means (for example, electronically) the controls were applied.

Service Organizations 2

Auditors should obtain understanding of the outsourced function by following one or more of: • Contacting service organization to obtain information. • Visiting service organization an performing necessary procedures. • Obtaining a report from the auditors of the service organization. Terms: • Service auditor—provides examination of service organization's controls. • User auditor—Uses that report.

Effects of Data Analytics

Data analytics may be used to perform tests of controls (operating effectiveness); auditors may test controls over the entire population of transactions rather than a sample.

Detective control

Designed to discover misstatements after they have occurred

All organizations under the jurisdiction of the SEC are required to maintain a system of internal control that will provide certain reasonable assurances under The

Foreign Corrupt Practices Act

Objectives of an Accounting System

Identify and record valid transactions. • Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions. • Measure the value of transactions appropriately. • Determine the time period in which the transactions occurred to permit recording in the proper period. • Present properly the transactions and related disclosures in the financial statements.

Monitoring

Ongoing monitoring activities. • Regularly performed supervisory and management activities. • Examples: • Continuous monitoring of customer complaints. • Management review control in which the Controller reviews gross profit on revenue transactions for unusual relationships. Separate evaluations: • Performed on nonroutine basis. • Example: Periodic audits by internal audit.

Foreign Corrupt Practices Act

Passed in 19 77 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business. The Act: • Makes illegal payment of bribes to foreign officials. • Requires an effective system of internal control (applies to public companies).

Control Activities

Performance reviews. Transaction control activities. Physical controls. Segregation of duties. • Segregate authorization, recording and custody of assets.

An example of an area that tends to be difficult for management to control and usually results in a very high risk of material misstatement is

accounts valued at fair value

For the control environment component, professional standards require auditors should obtain sufficient knowledge about the company's

antifraud program

Controls over the authorization and processing of payroll are

application controls; only affects the reliability of payroll activiites

The major difference between control objectives and management assertions is that control objectives

are broader in scope; Control objectives relate to financial reporting, operations, and compliance.

Separate evaluation

audits by internal auditor

All of the following are examples of control activities

authorizations verifications performance reviews physical controls

Auditors should identify and assess the risks of material misstatement:

both the financial statement level and the relevant assertion level for account balances.

The company has one control that requires reconciliations of bank statements and another that requires all cash disbursements to be authorized. This is an example of ______ controls.

complementary

Proper segregation of duties should be applied to ______.

departments and individuals

avoidance risk

exiting the activity that gives rise to the risk

When assessing the risk of material misstatement, auditors rely on the ______ effectiveness of internal control.

expected

The goal of segregation of duties is not to allow an individual to have__

incompatible duties

Procedures to obtain an understanding of internal control include ______.

inquiry of entity personnel tracing of transactions through information system inspection of documents and reports

sharing risk

insurance, hedging, and outsourcing

The three categories of objectives of __control are reporting, operations, and compliance.

internal

The traditional method of describing internal control is to complete a(n) ______.

internal control questionnaire

Internal auditors monitor ______.

management branches departments

An accounting information system should ______.

measure the proper value of transactions ensure transactions are recorded in the proper time period identify and record all valid transactions

Most internal control questionnaires are designed so that a ______ answer to a question indicates a weakness in internal control.

no

Two controls that both address the existence of accounts receivable are referred to as

redundant controls

Risk assessment is management's process for

responding to risks identifying risks analyzing risks

To obtain an understanding of internal control auditors use

risk assessment procedures

One feature of well-designed forms and documents that can be used to control the number of documents issued and account for sequence of documents is ______.

serial numbers

The rule that management must approve all credit sales over $75,000 is an example of a(n)

specific authorization

Many CPA firms consider a(n) ______ to be more effective than the other methods for documenting their understanding of a client's accounting information system and related control activities.

systems flowchart

The foundation for the other internal control components is

the control environment

When an organization has senior management and a board of directors that establish values and expectations regarding appropriate behavior and lead by example, it is said to have a strong __at the__ .

tone at the top

Internal auditors are representatives of ______.

top management

Management's Report on Internal Control under Section 404a

• Acknowledgment of responsibility for internal control. • An assessment of internal control effectiveness as of the last day of the company's fiscal year Acknowledgment of responsibility for internal control. • An assessment of internal control effectiveness as of the last day of the company's fiscal yearn using suitable criteria. • Support the evaluation with sufficient evidence using suitable criteria. • Support the evaluation with sufficient evidence.

Responses to high risks:

• Assigning more experience staff or those with specialized skills. • Providing more supervision and emphasizing the need to maintain professional skepticism. • Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed. • Increasing the overall scope of audit procedures, including the nature, timing or extent.

Enterprise Risk Management (E R M)

• C O S O issued a framework in 2004 (revised in 2017) on Enterprise Risk Management. It does not replace the original C O S O internal control framework. • It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities. • The auditing standards are still structured around the original C O S O internal control framework but the risk management framework is useful in evaluating the risk assessment component of internal control.

Risk Assessment

• Clearly specify objectives to allow the identification and assessment of risks related to those objectives. • Identify and analyze risks to the achievement of its objectives to determine how they may be managed. • Consider potential fraud relating to the achievement of objectives. • Identify and assess changes that could impact internal control.

Components of Internal Control

• The Control Environment. • Risk Assessment. • Control Activities. • Information System Relevant to Financial Reporting and Communication. • Monitoring Activities.

Internal Control in the Small Company

Due to lack of employees, internal control is seldom strong in small businesses. Specific practices for small businesses: • Record all cash receipts immediately. • Deposit all cash receipts intact daily. • Make all payments by serially numbered checks, with exception of petty cash disbursements. • Reconcile bank accounts monthly and retain copies. • Use serially numbered purchase orders, invoices, and receiving reports. • Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports. • Balance subsidiary ledger with control accounts. • Prepare comparative financial statements monthly to disclose significant variations in any category of revenue or expense.

Assessing Risks at the Financial Statement Level

Examples: • Preparing the period-end financial statements, including the development of significant accounting estimates and preparation of the notes. • The selection and application of significant accounting policies. • IT general controls. • The control environment.

True or false: To assist auditors with describing internal control in their working papers, auditors typically perform a walk-through of one or two transactions.

FALsE; A walk-through is typically performed after internal control has been described in order to verify that it has been implemented.

2. Obtain an understanding of the client and its environment, including internal control

The understanding of internal control is used to help the auditors to • Identify types of potential misstatements. • Consider factors that affect the risks of material misstatement. • Design tests of controls (when applicable) and substantive procedures. Auditors must consider all five internal control components: • Control environment. • Accounting information system. • Risk assessment. • Control activities. • Monitoring. In doing so, the auditors should also consider areas difficult to control like non-routine transactions.


Kaugnay na mga set ng pag-aaral

Sherpath Module 6: Perioperative Care

View Set

BCOR 350 (Bal) - Exam 2 possible questions

View Set

Fundamental Concepts and Skills for Nursing chapters 24, 29, 30 & 31

View Set

Nervous System + Tissue (Ch. 11)

View Set

chapter 2 science (Respiratory system)

View Set

Davis Edge Medication Patients (Chp 25)

View Set