Audit Exam 2
Which of these represents how willing the auditor is to accept F/S might be misstated after a clean opinion is issued audit risk or AAR
AAR
What are the risks under the auditor's control? What are the risks NOT under the auditor's control?
AAR and PDR engagement risk, RMM, IR, CR, and audit risk
Which type of evidence is NOT used by the auditor to obtain an understanding of the design and implementation of internal controls A. inquiry B. observation C. confirmation D. inspection
C
For statistical samples, the auditor will compare ____ and _____
CUER and TER
what formula is used for sample evaluation? aka the formula for cuer explain
CUER= SER + allowance for sampling risk CUER= SER + (TER- SER) theoretically, CUER should = TER
What are the two questions monitoring activities answer
Are controls operating as intended? Are controls modified as appropriate as conditions change?
Which audit evidence is stronger: When determining the cutoff of sale? Bill of lading dated after YE vs cash receipt after YE
BOL
what does an AAR of 0% mean? What about 100%?
0% is certainty 100% is complete uncertainty
Inherent risk is ordinarily assessed by the auditor during planning and a. may vary by each major cycle and by each account. b. may vary by each major cycle but is held constant for each account c. is held constant for each major cycle but may vary by each account d. is held constant for each major cycle and each account
A
Audit programs should be designed so that: A. All required procedures can be performed as interim B. IR is assessed at a sufficiently low level C. The auditor can make constructive suggestions to mgmt. D. The audit evidence gathered supports the auditor's conclusions
D
What are some limitations of the ARM
Desired level of audit risk may not actually be achieved It does not consider potential auditor error There is no way of knowing what the preliminary level of risk actually was
what types of sampling does non-probabilistic sampling entail? describe them
Haphazard- items selected without conscious bias; most commonly used Block- several items in sequence Directed- larger items, likelier to contain errors, contain some characteristic and auditor chooses items based on judgment
Which risk is the systemic risk of an organization
IR
audit may make a combined assessment of IR and CR known as RMM, which works because...
IR and CR do not affect PDR low IR and high CR has same effect as high IR and low CR
Based on this scenario, is there a significant deficiency or material weakness? Company B processes a significant number of intercompany transactions on a monthly basis. Individual intercompany transactions are frequently material. Reconciliations of accounts are not performed on a timely basis and differences in accounts are frequent and significant. Mgmt does not perform any alternative controls to investigate significant intercompany account differences.
Material weakness. The magnitude of a misstatement would reasonably be expected to be material. Additionally, actual unreconciled differences have been material
in looking at the direction of tests, ____ and ____ are done in opposite directions what do each of them test?
Occurrence tests that there are no non-existent transactions recorded; this is done through vouching. Completeness tests that there are no omitted transactions; this is done through tracing.
Give an example of a risks in the sales and collections cycle for each transaction-related audit objective
Occurrence- sales could be recorded twice or for a nonexistent customer Completeness- sales are not recorded for products shipped Accuracy- sales are recorded at an incorrect selling price or recorded using incorrect quantity Timing/cutoff- sales/AR are recorded in wrong period Classification- related party sales are recorded as trade sales
Which risk sounds like sampling and non-sampling risks from chpt 15
PDR because its risks we fail to identify
What are some limitations of IC
Personnel errors (misunderstanding, careless, tired) Mgmt override Collusion Cost-benefit tradeoff- aka perfect controls means business does not run the best it can
What are the 4 phases in an auditor's process for evaluating ICFR
Phase 1: plan and design an audit approach based on risk assessment procedures Phase 2: Perform tests of controls and substantive tests of transactions Phase 3: Perform substantive analytical procedures and tests of details of balances Phase 4: Complete the audit and issue an audit report
What are the list of control activities
Proper authorization of transactions Physical controls over assets and records Adequate dox and records Segregation of duties Independent checks on performance- trust but verify
what does audit risk consist of
RMM and PDR
what types of sampling does probabilistic sampling entail? describe them
Random- each item has an equal chance of being included in the sample With or without replacement Systematic- every nth item chosen Probability proportional to size (PPS)- each dollar has an equal chance of being included in the sample Stratified- separate pop into sub pops based on size (or other criteria) and choose samples for each sub pop
TOC Example 1: The control is credit is approved automatically by computer by comparison to credit limit The TOC is reperformance What management assertions about balance relate to this? What risk of material misstatement would this prevent/detect?
Related to accuracy, valuation, and allocation because you don't want to sell above what a customer can pay. The risk of material misstatement is having a higher ADA because of collection issues.
IC are the policies and procedures designed to provide reasonable assurance that the company achieves its objectives in...
Reliable fin reporting Compliance with laws Effective and efficient ops
what is the auditor's best estimate of the deviation rate in the pop
SER
For non-statistical samples, the auditor will compare _____ and _____
SER and TER
What test emphasizes the verification of transactions recorded in the journals and then posted in the GL
STOT
_____ validate acct records to source dox and test for misstatements directly affecting _______ by determining whether ________ are met
STOT F/S balances transaction-related audit objectives
Using the example of an AR t chart, demonstrate how STOT and TODOB are related
STOT is used for sales, cash receipts, and uncollectible amounts TODOB is used for ending balance
what is the difference btw sampling and non-sampling risk?
Sampling risk- risk that auditor reaches wrong conclusion because they chose a non-representative sample Non-sampling risk- risk that auditor reaches incorrect conclusion because audit tests do not uncover expectations in the sample
Based on this scenario, is there a significant deficiency or material weakness? Company A has a significant number of routine intercompany transactions on a monthly basis. Individually they are not material and primarily relate to B/S activity. Since there is no process to ensure performance of the required monthly reconciliation of accounts, detailed reconciliations are not performed on a timely basis. Mgmt does perform monthly procedures to investigate selected large-dollar intercompany account differences.
Significant deficiency because transactions are not material and compensating controls should detect material misstatement. Because detective controls are designed only to detect material misstatements, controls do not address detection of non-material significant misstatements. Also, transactions are restricted to bal sheet accounts, so it is reasonably possible that a misstatement could occur.
What is inherent risk
Susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material BEFORE considering related controls
what is formula for allowance for sampling risk
TER-SER
attribute sampling uses which two tests
TOC STOT
If you are looking at a random invoice with information from the master price list and the invoice is used in updating the sales journal, what is an example a dual purpose test here?
TOC: verify that correct price is pulled from master price list STOT: vouch from the sales journal to the invoice and recalculate the invoice
The results of which two types of tests have a significant effect on the remainder of the audit
TOCs and STOTs
Exceptions discovered during TOCs do not necessarily indicate a F/S misstatement. How?
The auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting. Even though an identified misstatement indicates a control deficiency exists, it does not indiciate a F/S misstatement, but the auditor should use it as a warning that the F/S might be misstated and proceed with testing.
A deficiency uncovered in the audit of IC indicates what about the F/S misstatement?
The likelihood of the misstatement
TOC Example 2: The control is separation of duties btw billing, recording sales, and handling cash receipts. The TOC is observation and inquiry. What management assertions about balance relate to this? What risk of material misstatement would this prevent/detect?
The risk we are worried about it booking sales that don't exist (existence) or taking extra cash for themselves (occurrence).
When assessing control risk, many auditors use...
a control risk matrix
the use of an appropriate sample selection technique cannot ensure....
a representative sample
Tests of controls are done by testing ____ from the applicable period. It concludes that the control operated...
a sample effectively and consistently over a period of time
what is ARO depends on assessed.... is the auditor's measure of...
acceptable risk of overreliance; risk we are willing to take of relying on the control when it doesn't work as well as we need it to; matter of auditor judgment depends on assessed CR auditor's measure of sampling risk
attribute sampling requires setting a standard for what is working well enough, computing an estimate of ________ in the pop, and comparing the standard to the estimate to decide where _____ and ______ need revision
actual performance CR audit program
What 3 key control activities did we discuss relating to the sales and collection cycle?
adequate segregation of duties proper authorizations adequate dox and records
Tests of design are required for (all/ICFR) audits. It is done (once/throughout the audit). Tests of op effectiveness (aka TOC) are required for (all/ICFR) audits. It is done (once/throughout the audit).
all; once ICFR; throughout the audit
- Mgmt. is responsible for internal controls, but auditors are responsible for _____ control risk
assessing
what are the different types of sampling? describe them
attribute sampling- used to estimate the proportion of a pop containing a certain characteristic or attribute sampling of balances- used to estimate amount of misstatement present in account balances
plan the sample example: if risk is occurrence of sales... what is the attribute you would test? what is the pop? what is the sampling unit? what is an exception?
attribute: every invoice is supported by shipping doc pop: all the invoices in sales journal sampling unit: 1 sales invoice exception: no shipping doc
What is ARM?
audit risk model decides how much and what types of evidence to accumulate for each relevant audit objective AAR= (IR*CR)* PDR
When assessing risk, it is important to remember that detection risk can be determined after...
audit risk, inherent risk, and control risk are determined
The purpose of obtaining an understanding of IC is to determine whether the client is ____, to identify potential ____, and to design ___
auditable material misstatements tests of controls and substantive tests
Substantive analytical procedures compare recorded info and _____ Use of AP as a substantive test relies on the _____ of the account and the ability to form a precise ____
auditor's expectations predictability estimate
Tests of details of balances are used to determine whether ______ are met What are the types of audit procedures
balance-related objectives physical examination, confirmation, inspection, inquiry, reperformance, and recalculation
How do we decide the extent of our procedures for TOC
based on desired PDR or desired achieved CR
how often is IR assessed?
begins during planning and is updated throughout the audit for each cycle, account, and assertion
what are the two components of sampling
calculation of sample size and selection of the sample items to test
non-statistical calculation (must/can) use which types of selection techniques
can use probabilistic or non-probabilistic
Auditors (can/cannot) ignore controls affecting internal mgmt info
cannot
Which audit evidence is stronger: When determining completeness of cash? Cash receipts journal vs cash receipts log + bank statement
cash receipts log + bank statement
When an audit team traces a sample of shipping dox to the related sales invoice copies, they are primarily trying to find relevant evidence for shipments to customers were invoiced. This is an example of testing for...
completeness of invoices
what is CUER
computer upper exception rate; highest estimated exception rate in the population for a given ARO and sample result; this is our estimate of performance in the population
If SER> TER... IF SER< TER...
conclude that control is not operating effectively auditor should consider risk that true pop exception rate is > TER; calculate allowance for sampling risk
If allowance for sampling risk is too low... If allowance is large enough...
conclude that the control is not operating effectively conclude that control is operating effectively
What are the different reportable conditions? Describe them
control deficiency- remote and inconsequential; when the operations of a control does not allow mgmt or employees to prevent or detect misstatements on a timely basis material weakness- material and reasonably possible; an IC deficiency where there is reasonable possibility that a material misstatement of F/S will not be prevented or detected on a timely basis significant deficiency- an IC deficiency that is less severe than a material weakness yet important enough to merit attention
what are exceptions in attribute sampling called? which tests do they relate to?
control deviation- for TOCs monetary misstatements in transactions- STOTs
If TER>= CUER... If TER < CUER...
control works well enough to rely on it; generally, accept the same results as supportive of assessed CR and planned testing; risk is less than ARO; control fails less than TER control not working as expected; conclude that the risk is higher than ARO and that the control fails more than tolerable (TER); initial CR assessment not supported, must revise planned level of substantive tests
The goal of testing controls is to determine whether... Some procedures include...
controls are operating effectively performing a walkthrough, inquiring of client personnel, examining docs, observing control activities, and reperforming control procedures
proper authorizations require: ____ authorized before sale shipping where ___ is authorized and ____ is approved _____ including terms, freight, and discounts being authorized
credit credit; customer prices
If investors heavily rely on F/S, auditor will (increase/decrease) AAR
decrease
What effect on sample size does this change warrant? Increase ARO
decrease initial sample size
What effect on sample size does this change warrant? Increase TER
decrease initial sample size
Issuing an audit opinion on operating effectiveness of ICFR requires identifying... if even one.....
deficiencies, significant deficiencies, and material weaknesses if even one material weakness, issue adverse opinion
What are the factors of AAR
degree to which external users rely on F/S likelihood of client financial difficulties after the audit auditor's evaluation of mgmt's integrity
What are the two types of control deficiencies? Describe them
design deficiency- a necessary control is missing/not well designed/not properly implemented operation deficiency- a well-designed control does not operate as designed or the person performing hte control is not qualified
assessment of AAR is based on... define it
engagement risk risk that auditor will suffer harm after the audit is finished, even through the audit report was correct (meaning they have to defend their work)
what is EPER
estimated population exception rate; our estimate of the control's failure rate before we begin sampling; need this to plan the sample size; use preceding year's audit results or a small preliminary sample
What are the main procedures of understanding IC and assessing control risk
evaluating prior experience with the client a walkthrough (when you take one individual transaction and find out what starts that process) inquiry examining dox observing activities
What are mgmt's assertions about account balances and their balance-related audit objectives?
existence- same completeness- same A,V,A- accurancy, cutoff, detail tie-in, and realizable value classification- same rights and obligations- same
Mgmt must identify ______ used to evaluate the effectiveness of ICFR
framework
Remember that there other risks such as ___ or ____ which make risk assessment tricky
fraud significant risks- areas that need special audit consideration
assess CR as _____ if auditor does not want to rely on IC at all (normally for what types of companies?)
high small public or private
_____ (higher/lower) IR areas are audited more thoroughly, but IR.... based on what auditor does why?
higher does not change because IR is based on the entity's inherent risk, so no auditor work can change it
(Higher/Lower) ARO allows (more/less) risk, so (larger/smaller) sample size
higher -> more risk -> smaller sample lower -> less risk -> larger sample
If companies are the exact same size, you might have the same materiality level, but you might do a lot more work for one than the other because of...
higher or lower IR and CR
Explain risk assessment
identification and analysis of risks to achieving objectives hand in hand with control activities
Non-sampling risk can be caused by... How can you minimize non-sampling risk
inappropriate audit procedures, unreliable evidence, human error designing good tests and recognizing exceptions by using experienced auditors or avoiding boredom/exhaustion
If a company is a startup, auditor will (increase/decrease) AAR
increase
What effect on sample size does this change warrant? Increase EPER
increase initial sample size
Explain info and comm
info used internally and externally for decision making there has to be sufficient detail that a new person can come in and understand it
A system of IC ought to provide reasonable assurance that F/S are fairly stated despite... its effectiveness depends on..., meaning it cannot prevent...
inherent limitations on controls competency/dependability of people cannot prevent collusion
Describe the filtering diagram
inherent risk is input, the control system filters out misstatements in control risk, audit procedures filter out misstatements in PDR, and the output is AAR
What pattern does the flow in flowcharts follow
input -> processing -> output
What types of audit procedures are used for SAPs
inquiries and AP
What are the main procedures/evidence used for TOC
inquiry (ask) inspection (look) observation (watch) reperformance (do)
What types of audit procedures (evidence) are used for STOT
inspection inquiry reperformance recalculation
in analyzing exceptions, an auditor must ask if they were _______, confined to...., or caused by _____
intentional/fraud a specific process/person/time period misunderstanding/carelessness
PDR has a _____ relationship with amount of evidence auditors plan to collect. This means that a lower PDR requires (more/less) evidence to achieve AAR
inverse more
CR is ______ related to PDR and ______ related to planned evidence
inversely positively
Inherent risk is ______ related to PDR and _____ related to planned evidence
inversely positively
Which audit evidence is stronger: when determining whether a sale occurred Sales order vs sales invoice Sales invoice vs bill of lading Bill of lading vs cash receipt
invoice BOL cash receipt
Which audit evidence is stronger: When determining the accuracy of sale? Sales invoice vs bill of lading For quantity shipped: sales invoice vs packing slip For amount billed to customer: sales invoice vs packing slip
invoice packing slip invoice
The bigger the difference btw TER and EPER, the (more/less) precision required, so the (larger/smaller) the sample
less smaller
What is PDR
likelihood that audit procedures fail to detect material misstatement; is determined by AAR, IR, and CR (bc of calculation AAR/RMM) is the auditor's risk
What is AAR?
likelihood that material misstatement exists after auditor issued unqualified opinion
What is mgmt's responsibility for all companies
mgmt. must establish and maintain a system of IC
What is mgmt's responsibility for public companies?
mgmt. must maintain IC system for fin reporting (ICFR) and assess its effectiveness at year end through filings for design and implementation and operating effectiveness
What effect on sample size does this change warrant? Increase pop size
minor increase in initial sample size
What is auditor's responsibility for large public clients?
must audit ICFR and issue audit opinion on operating effectiveness
statistical calculation (must/can) use which types of selection techniques
must use probabilistic
3 common methods of documenting the understanding of IC are
narratives, flowcharts, and IC questionnaires
PDR is used to determine ___, ___, and ___ of audit work
nature, extent, and timing
Should all controls be considered in the control risk assessment process? Each control can be used to satisfy ____ audit objective(s)
no one or more
If the assessed level of CR= the planned CR... If it is > the planned CR...
no change to substantive tests increase substantive tests
allowance for sampling risk is only used for (statistical/non-statistical) samples
non-statistical
This is a strong way to provide evidence for the (existence/occurrence) of a sale: select a sample of sales invoices recorded in the sales journal and trace to the related bill of lading to make sure each sale was shipped
occurrence
What are mgmt's assertions about transactions and their transaction-related audit objectives?
occurrence- same completeness- same accuracy- accuracy and posting + summarization classification- same cutoff- timing
Tests of design walk through.... and concludes that the organization... It also allows the auditor to assess...
one transaction designed the control they claim to have preliminary CR
Of the two types of control deficiencies, which one would require an auditor to determine if it is a significant deficiency or a material weakness
operation deficiency
What activities are included in the sales transaction of the sales cycle
order entry credit authorization shipping billing and recording
While planning procedures to obtain audit evidence, auditors consider risk at both... explain
overall F/S level- issues with mgmt's integrity/competence and ineffective BOD oversight or ineffective IC systems relevant assertion level- assertions and risks for each assertion for each balance, transaction, and disclosure where each risk is comprised of IR and CR
What are the types of audit evidence
physical examination inquiry inspection observation recalculation reperformance AP confirmation
what are the steps in sampling?
plan sample select sample and perform tests evaluate results analyze exceptions
The auditor uses control risk assessment and results of tests of controls to determine...
planned detection risk and related substantive tests
Audit risk and materiality are considered in what three stages?
planning and performing the audit evaluating the results forming an opinion on the F/S
Explain control activity
policies that help ensure mgmt. goals are carried out what to do about risks filters the CR in AAR formula
AAR is ______ related to PDR and ______ related to planned evidence
positively inversely
Mgmt is not responsible for understanding and testing IC of fin reporting if
private
_______ selection is required for all statistical sampling methods it is not acceptable to evaluate a _________ sample using statistical methods
probabilistic non-prob
what are the two different types of selections of sample items to test?
probabilistic non-probabilistic
Explain monitoring activities
process to access quality of IC performance over time making sure people are following thru on controls
the components of ARM may be assessed in ____ and ____ terms
quantitative like % non-quantitative like low, med, high
Analytical procedures emphasize the overall ______ of transactions and balances
reasonableness
What are the 5 classes of transactions in the sales and collection cycle and their accompanying JEs
recording of sales (DR AR, CR sales) cash receipts (DR $, CR AR) sales returns and allowances (DR sales returns and allowances, CR AR) writing off uncollectible accounts (DR ADA, CR AR) estimating BDE (DR BDE, CR ADA)
For an example, if a test of IC is to inspect bank reconciliation for the appropriate signature (aka control), a substantive test would likely..
reperform the bank reconciliation
assessment of CR updated throughout audit based on...
results of control procedures
what are some options if sample results dont support the assessed CR
revise TER or ARO? expand sample? revise CR?
What are the 5 types of audit tests?
risk assessment procedures TOC STOT SAP TODOB
What is audit risk
risk that an auditor expresses an inappropriate (clean) opinion on materially misstated F/S
What is control risk
risk that internal control will not timely prevent or detect and correct a material misstatement that could occur in an assertion
adequate segregation of duties requires: credit function separate from ____ _____ separate from billing cash receipts separate from ___
sales shipping AR
Example: sales order -> proof of delivery -> invoice -> sales journal if we are testing occurrence of sales, the population is ___ which is used to...
sales journal vouch to evidence for invoices, proof of delivery, and sales order
the credit function being separate from sales lowers the risk of..
sales to customers who are not credit worthy and risk of increasing BDE
what is SER
sample exception rate; number of exceptions divided by sample size
______ is required whenever auditor does not test the entire group of transactions or all items in a balance
sampling
audit risk is impacted by which risks
sampling and non-sampling risks
a sample of all items eliminates.... but does not necessarily impact....
sampling risk non-sampling risk
what are the two types of calculations for sample size? describe them
statistical- requires random sample and uses probability to choose a more efficient sample size non-statistical- may use non-random sample and relies more on auditor's judgment
If a company doesn't have good controls, auditor will use a (control/substantive) based approach and place a (high/low) CR for everything
substantive high
What type of test is designed to test for dollar misstatements? Which is most likely to detect monetary errors?
substantive tests SAP
Tests of transactions and _____ are also complimentary
tests of balances
Do tests of design or tests of controls require the auditor to update CR? In which scenario?
tests of controls If he finds the control is not operating effectively
CR is assessed based on how well IC are operating, not set UNLESS...
the auditor is not relying on IC
The most significant effect of sales testing is on ...
the confirmation process of AR where type of confirmation, the size of the samples, and timing are all affected
When testing controls, an auditor will consider whether the results of their tests applied to a sample provide evidence that... When conducting substantive tests of transactions, an auditor will consider whether the results of their tests applied to a sample provide evidence that....
the control is effective within the entire pop the class of transaction is fairly stated (audit objectives)
The difference btw IC and substantive tests is, testing IC requires proof that... while a substantive test collects evidence that...
the control was executed correctly JE are substantiated by source dox or other evidence
If errors are found in a sample, calculate for the pop....
the deviation rate for controls misstatement for class of transactions
What is RMM? What is it comprised of
the entity's risks= IR*CR risk that F/S are materially misstated prior to audit
we expect the sample to provide a reasonable basis for drawing conclusions about ____. this is called a _____ sample because the _____ in the sample are the same as those in the _____
the population representative characteristics population
cash receipts being separate from AR lowers the risk of...
theft of cash being covered up in acct records (aka lapping)
When considering internal controls, auditors are concerned with the client's internal controls over the safeguarding of assets if...
they affect the fin statements
The goal of assessing CR is..
to determine whether IC design will prevent misstatements from occurring OR will detect and correct misstatements that have occurred
What is TER depends on assessed...
tolerable exception rate; highest deviation rate we can find and still rely on the control; this is the standard; matter of auditor judgment depends on assessed materiality and importance of attribute
Explain control environment requires??
tone at the top (aka mgmt./parents making sure that workers/kids doing what they should by following same standards) influences control consciousness of its people requires BOD or audit committee participation
Assess CR for each
transaction-related audit objective for each major transaction in each cycle
many tests of _______ are dual-purpose tests for both ____ and ____, making these two complimentary considering _____
transactions TOCs and STOTs cost effectiveness
the shipping function being separate from billing lowers the risk of...
unauthorized shipments and theft of goods
What is an auditor's responsibility for all clients?
understand IC system well enough to perform audit
the initial assessment of CR is obtained through...
understanding the entity and the control environment evaluating design and implementation of controls
The ______ in statistical attribute sampling is a statistical measure at a specified confidence level of the maximum rate of occurrence of an attribute
upper precision limit (CUER)
Auditor can minimize sampling risk by... What are some consequences of sampling risk?
using a larger sample size or better sample selection techniques wrong opinion + potential legal liab gathering too much evidence -> lower profit
in the final step of sampling, the auditor must analyze the character of the exceptions to determine.... and whether additional work should be done EVEN if...
what weakness in IC caused them TER >= CUER