Audit Final
Given ____ and ____, and our desire to achieve a certain level of ____, how much __________ do we need?
IR, CR AR Evidence
Auditor A assess materiality at $1,000,000 Auditor B assess materiality at $2,000,000 Clients have similar F/S Why might the two auditors have assessed different levels?
This depends on the *judgment* of users - some users might want different things A: Large publicly traded company, highly monitored, high analyst targets, lots of common stock investors B: Privately owned company, small set of investors, small loans, etc.
Write-off authorization
This document authorizes the write-off of an uncollectible account receivable. Final approval is generally authorized by the treasurer.
What are auditors responsible for in terms of Internal controls with PRIVATE companies?
(F/S / GAAS audit) Auditors may learn just enough about internal controls to decide they won't rely on it If controls are poor - control risk high. Stop, don't invest any additional effort in testing controls because have to do a lot of substantive testing anyways If controls are good - control risk low. Can depend on these controls, and can do less substantive testing
What are auditors responsible for in terms of Internal controls with PUBLIC companies?
(Integrated audit) Auditing standards require auditors to obtain an understanding of internal controls relevant to the audit Must audit internal controls over financial reporting and issue an opinion about the effectiveness of those controls
Audit Risk Model Flowthrough
(risk of MM) Inherent risk --> Control risk --> Detection risk --> Audit risk
Credit memo
*number one control in return process* a document, approved by the credit manager, authorizing the billing department to credit a customer's account *triggers recording of reversal of sale*
Common qualitative benchmark affecting materiality
-Amounts involving fraud -Amounts affecting contractual obligations (loan covenants) -Amounts affecting a trend in earnings (increases, profit/loss, analyst estimates)
Materiality judgment
1. Auditors make this during *planning*, but can be *revised* during the engagement 2. Consider the F/S as a *whole* 3. Represents the *maximum* amount by which the auditor believes the F/S could be misstated and still *not affect* the decisions of reasonable users (above this threshold, I expect judgments to be affected) 4. Used to help plan the appropriate evidence to accumulate (Lower dollar amount/materiality threshold = more evidence) 5. Used to evaluate misstatements that are discovered, then management must correct them in order to receive an *unqualified opinion*
Collections Processes
1. Collections - receiving, depositing, and recording payments (ex: processing and recording cash receipts) 2. Sales adjustments - customers may return goods or seller may just grant a reduction in the charges (ex: processing and recording sales returns/allowances) 3. Account write-offs - if an amount cannot be collected, company must write it off; companies need to analyze the likelihood of collections and record provision for bad debt expense
Sales processes
1. Customer approval -credit needs to be authorized (sign-off or pre-approved credit limits) -engage w/ customers and make sure you want to do business w/ them 2. Sales order entry - acceptance of customer orders and entry into system -customer could've placed order 3. Shipping -shipments need to be authorized -process of fulfilling customer order 4. Billing (and recording sales) -all shipments must be billed (completeness) -no shipment can be billed more than once (occurrence) -each shipment must be billed for the correct amount (accuracy) *send customer invoice - evidence of transactions and signals recording of the sale*
Using the audit risk model in audit planning
1. Establish audit risk for audit as a whole 2. For each assertion, assess IR, CR, then calculate DR w/ formula 3. DR is used to determine the nature, extent, and timing (NET of audit work) 3: how much evidence we need and what types of evidence we need
Why are audits not a guarantee
1. Nature of audit evidence 2. Cost constraints
Assessing control risk
1. Obtain an understanding of internal controls 2. Assess control risk for F/S assertions (preliminary) - set risk % -Associate controls (and known deficiencies in controls) with assertions -Consider compensating controls when deficiencies exist -Controls can relate to more than one assertion 3. Test effectiveness of internal controls 4. Assess operating effectiveness of controls (update CR)
Fraud risk factors for revenue
1. Side agreement 2. Channel stuffing 3. Bill and hold
Types of Audit Tests
1. Test of controls 2. Substantive tests of transactions (STOTS) 3. Substantive tests of account balances (STOBS) 4. Substantive analytical procedures (SAPS)
There are several factors that affect an audit firm's business risk and, therefore, acceptable audit risk. Discuss three of these factors.
1. The degree to which external users will rely on the statements. For large, publicly held clients, business risk is greater, and acceptable audit risk will be less, than for small, privately-held clients, all things being equal. 2. The likelihood that a client will have financial difficulties after the audit report is issued. Business risk is greater, and acceptable audit risk will be lower, when the client is experiencing financial difficulties. 3. The auditor's evaluation of management's integrity. Business risk is greater and acceptable audit risk will be lower when the client's management has questionable integrity.
Reporting options for opinions on internal controls
1. Unqualified 2. Adverse - only 1 or more material weaknesses 3. Disclaimer - (1) not independent (2) couldn't gather enough evidence
One major limitation in the application of the audit risk model is the difficulty of measuring the components of the model. A) True B) False
A
Customer check
Clerk reconciles items, endorses checks, prepares remittance list and sends checks and list copy to cash receipts department. Cash receipts clerk records checks in cash receipts journal, prepares deposit slip and sends checks to bank.
In the context of the audit risk model, control risk is always
> 0%
As the acceptable level of detection risk increases, an auditor may change the: A) timing of substantive tests by performing them at an interim date rather than year end. B) timing of the tests on controls by performing them throughout the year rather than at one time. C) assess the level of inherent risk to a lower amount. D) increase the sample size to achieve a more effective test.
A
Auditors begin their assessment of inherent risk during the planning phase and update the assessments throughout the audit. A) True B) False
A
Auditors begin their assessments of inherent risk during audit planning. Which of the following would not help in assessing inherent risk during the planning phase? A) Obtaining client's agreement on the engagement letter B) Obtaining knowledge about the client's business and industry C) Touring the client's plant and offices D) Identifying related parties
A
Engagement risk is effectively the audit firm's business risk. A) True B) False
A
If an auditor believes the client will have financial difficulties after the audit report is issued, and external users will be relying heavily on the financial statements, the auditor will probably set acceptable audit risk as low. A) True B) False
A
When management has an adequate level of integrity for the auditor to accept the engagement but cannot be regarded as completely honest in all dealings, auditors normally: A) reduce acceptable audit risk and increase inherent risk. B) reduce inherent risk and control risk. C) increase inherent risk and control risk. D) increase acceptable audit risk and reduce inherent risk.
A
Monthly statements
A document listing all transactions that occurred during the past month, and informing customers of their current account balance.
Sales invoice
A document notifying customers of the amount of a sale, how much they ordered, and where to send payment *triggers recording of the sale*
Management letter
A letter from the auditor to management (CEO, CFO, controller) making recommendations to the entity based on observations during the audit; not just problems This can help auditors retain business by giving management the ease to see the value of the audit more clearly
Cycle approach
A method of dividing an audit by keeping closely-related types of transactions and account balances in the same segment Look at the process and F/S accounts related to that process Test AR: STOTS for sales/collections STOBS for ending balance STOTS gives the initial comfort STOBS but we will still test the balances Approach differs based on client (type of business, industry, accounting principles)
AR Aging report
A report listing customer account balances by length of time outstanding
Sales cycle
A seven step process that describes key selling events from an initial prospect to a satisfied customer Collection of accounts related to the sales process
Cash receipts journal
After reconciling, employee records check in the cash receipts journal and prepares a bank deposit slip.- sends check to bank
Selecting which test to perform
All procedures are interrelated, not mutually exclusive Consider the relationship between test of controls and substantive tests Consider the relationship between STOTS and STOBS Consider the relationship between SAPS and other substantive tests End goal: least amount of substantive testing; effort we put into testing controls is worth it because less substantive testing is required thereafter
Customer purchase order
An agreement to purchase the stated material, for the stated price, under the stated terms - type and quantity of merchandise being requested (external doc from customer placing the order) formalize into sales order
Remittance advice
An optional attachment to a check that tells the business the reason for the payment. *signals what invoice is being paid*
Risk of material misstatement
Combined assessment of IR and CR The risk that the F/S are materially misstated *prior to the audit*
Side agreement
Arrangements used to alter terms and conditions of recorded sales in order to entice customers to accept delivery of goods ex: wrongfully give 100% guarantee and go back on word later
AR
Audit risk Likelihood that a material misstatement exists *after* the auditor issued an unqualified opinion *Audit fails to detect a material misstatement when one exists* You said F/S are fairly stated when in reality they're not Measure of auditor's *willingness to accept* that the F/S may be materially misstated after an unqualified opinion was issued More risky client - need a smaller audit risk to protect ourselves Less risky client - fine w/ higher audit risk (*INVERSE*)
Auditor A assess materiality at $1,000,000 Auditor B assess materiality at $2,000,000 How will the extent of testing differ between the two clients?
Auditor A will be doing more testing because they have to find any misstatements over 1 million vs. 2 million
Private company audit and CR
Auditor is *not required* to issue an opinion on internal controls, but they may have to test if they notice problems. If problems, CR high, which consequently affects how much substantive testing we do
Reporting results under GAAS (private company audit)
Auditor may not uncover deficiencies, but for deficiencies identified and deemed significant, auditor must report them to those charged with governance (ex: board of directors) - *not public* Smaller deficiencies can be reported to management via the management letter
3. Testing controls
Auditors must test controls if: -auditor is relying on internal controls to reduce audit work -client is a US public company (integrated audit) Four types of procedures: nvolves: 1. Make *inquiries* of appropriate client personnel (not strong by itself) 2. *Inspect* documents, records and reports 3. *Observe* control-related activities 4. *Reperform* client procedures
Financial Statement Cycles
Audits are performed by dividing the financial statements into smaller components Each component represents a process that is audited separately, but not independently Common way to divide an audit: *cycle approach* - groups related types (or classes) or transactions and account balances Look at the process and F/S accounts related to that process
In applying the audit risk model, auditors are concerned about overstatements, not understatements. A) True B) False
B
Debt/loan covenants
Bank: "Loan is contingent upon the company having a certain amount of net assets, revenue, etc." If anything goes below the required level, the bank can recall debt and the company has to pay back amount in whole *THIS IS MATERIAL*
1) Which of the following statements regarding inherent risk is correct? A) Inherent risk is unaffected by the auditor's experience with client's organization. B) Most auditors set a low inherent risk in the first year of an audit and increase it if experience shows that it was incorrect. C) Most auditors set a high inherent risk in the first year of an audit and reduce it in subsequent years as they gain more knowledge about the company. D) Inherent risk is dependent upon the strengths in client's internal control system.
C
Auditors respond to risk primarily by: I. changing the extent of testing. II. changing the types of audit procedures. A) I only B) II only C) I and II D) neither I nor i
C
Which of the following is not a primary consideration when assessing inherent risk? A) Nature of client's business B) Existence of related parties C) Degree of separation of duties D) Susceptibility to misappropriation of assets
C
5 Components of Internal Control
COSO Framework 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring *Relates to objective criteria of attestation
4. Assess Effectiveness
Can update CR at this stage The auditor uses results of tests of controls to reassess CR, determine DR, and determine the substantive tests that will be performed over transactions/balances Auditor concludes on assessed CR after tests of IC (step 3) no change CR - no change higher than planned CR - increase substantive testing
CR
Control risk Likelihood that internal controls will not prevent or detect material misstatements Based on auditor's understanding of how well the client's internal controls are designed and operated How well the control system operates, and if controls are actually in place/working as management claims *Exists before auditor has looked for misstatements/DR* High CR --> high risk; auditor doesn't want to rely on IC at all Low CR --> low risk; auditor can rely on IC to reduce substantive testing (*DIRECT*)
Audit Risk Model
DR = (AR) / (IR x CR) A tool used to determine how much and what types of evidence we should get for each of management's assertions While planning procedures to obtain audit evidence, auditors consider risk at both the overall F/S and assertion level - this tool disciplines our thinking at the *assertion level*
Reporting results under an integrated audit (public US company)
Deficiencies found in the audit must be classified: 1. Material weakness -Deficiency/combination of deficiencies such that there is a reasonable possibility that a material misstatement won't be prevented/detected (by controls) *DOES NOT MEAN A MM DID FALL THROUGH, BUT THERES A POSSIBILITY THAT THERE ONE COULD HAVE* 2. Significant deficiency -Deficiency/combination of deficiencies that is less severe than (1) but is still important enough to merit attention by those charged with governance 3. Control deficiency -"Insignificant deficiency"
What are all companies responsible for in terms of Internal controls?
Designing and maintaining an effective system of internal controls
DR
Detection risk Likelihood that audit procedures (tests) fail to detect a material misstatement when one exists *OUR* tests and procedures will fail Audits are not a guarantee because of cost constraints and nature of evidence Determined by AR, IR, CR *INVERSE* relationship with the amount of evidence we plan to accumulate High DR = willing to take on a higher risk of audit procedures failing = less work/evidence Low DR = don't want to risk audit procedures failing = more work/evidence (*INVERSE*)
The assessment of audit risk is based on?
Engagement Risk
Revenue recognition - Earned
Entity has substantially completed the earnings process (generally upon delivery of product or service provided)
Tone at the top
Ethical tone set by top management Ethics and morality in the company - is there training for employees? Is management pushed to maintain sound controls and a good attitude?
Substantive analytical procedures (SAPS)
Evaluations of financial information through analysis of plausible relationships among financial and nonfinancial data -Can also be used to test for monetary misstatements as a substantive test Required during planning and completion phases More precise & detailed than analytical procedures conducted during planning *ONLY AS POWERFUL AS YOUR EXPECTATION* (expectations are developed from account balances using various data; if something is far away from expectation, there's a *heightened possibility* of misstatement)
Bill of lading
Formal contract between the seller and the shipping company that transports the goods to the customer; A legal contract with the carrier/trucking company for the bailment/possession/transport of the goods (quantity and weight is how we get charged by trucking companies)
Bill and hold
Inducements for customers to issue PO's in advance of needing goods, seller agrees to ship goods at later date ex: company pressures customers to issue PO now and we ship to them at a later date, ONLY allowed by GAAP when the *customer requests* and does so for *valid business purposes*
Channel stuffing
Inducements to distributions/customers to buy substantially more inventory than they can promptly resell/use (push product) ex: company induces distributor to take on more inventory than they can sell in near future to increase sales (could be by extending credit beyond what dist. would usually pay) but could screw you over for next year when they have an excess of inventory & don't need to buy more
IR
Inherent risk Likelihood/susceptibility of material misstatements *before* considering the effectiveness of internal controls -*Nature of client's business* -Type of GAAP accounting for that account is complex -Reputation of the client, have they had problems in the past? -Results of previous audits -New vs. current client (uncertainty = higher risk) -Related parties (everything completely disclosed?) -Management intentions/integrity ("evil hand" dropping in chips) -Any unreasonable transactions? -Changing company? -Complex or nonroutine transactions (higher risk) -Accounting requires judgment (subjective - things without a single correct answer) -Population of accounts (too many AR's?)
2. Risk Assessment
Management's identification and analysis of risks (relevant to the preparation of F/S) Management should be identifying sources of risk related to factors such as changes in the operating environment, new personnel, new IT systems, rapid growth, expanded foreign operations, etc. If they identify a risk, management must: 1. Estimate the significance of that risk 2. Assess the likelihood of the risk occurring 3. Develop specific actions (internal controls) that need to be taken to reduce the risk to an acceptable level
Monitoring
Management's ongoing and periodic assessment of the quality of internal controls to determine that controls are operating as intended and are modified when needed It's important that management modifies controls as conditions change (extinguish debt, buy other companies, etc.) For many companies, esp. larger, an internal audit department is essential for effective monitoring - they assist management with identifying new risks and how to respond to them
Price list
Master set of pre-established and approved prices for each product big control
Materiality - quantitative/qualitative factors
Matters in the context of the size of the company We will always set a quantitative threshold, but can't forget about other qualitative factors -Difference in trend -Profit vs. loss - Beating analyst targets
NET
Nature, extent, timing
Common quantitative benchmark affecting materiality
Net income before taxes (~5%) Total assets (0.5-1.0%) Sales (1-3%) *But can be scaled by the size of the company*
Can internal controls be completely effective?
No - 1. Collusion is always a possibility (can circumvent internal controls) 2. Systems are made in part of people (human error, lack of attention, competency, dependability of people) 3. Management can override internal controls (manual entries) 4. Cost-benefit trade-off (won't implement the control if benefit doesn't exceed the trade-off)
If we know controls are bad should we still test them?
No - why test them just to confirm they're bad, instead budget all your time to substantive testing because you'll have to do that anyways There's no single right answer about whether or not you should test controls/if there's a payoff to that
Information and Communication
Policies and procedures that ensure important information is identifies, captured, and made available to appropriate persons This system should ensure: 1. All parties understand their role in the system 2. Problems are brought to the attention of appropriate persons 3. Information flows down, up, and across departments Preventative controls - implement before they happen Detective controls - identify misstatements after they happen
Control Activities
Policies and procedures that help ensure necessary actions are taken to address risks to the achievement of the entity's objectives. 1. Performance reviews -Comparison of actual performance vs. expectations to help flag possible problems -Similar to analytical procedures but performed by management 2. Physical controls over assets and records -Ex: lock warehouse door, lock drawer for paper checks 3. Adequate segregation of duties -Separation of asset custody from recording -Separation of transaction authorization from custody of related assets (authorize a shipment then ship to self) -*Separation of operational decisions from accounting* ("sales manager sets bonus targets/incentives for sales group", can't have ability to book fake sales for team) 4. Process control activities -Proper authorization procedures (general - blanket approval for "all sales over 100k" vs. specific - have to review each individual transaction) -Adequate use of documentation and records (pre-numbered, timely) -Independent verification procedures (independent person vs. computer can check adequately; peer checking)
Substantive tests
Procedures designed to test for monetary misstatements that directly affect F/S STOTS STOBS SAPS STOTS and STOBS are sometimes called "tests of details" and performed together to save time/efficiency
Dual-purpose tests
Procedures that provide evidence for both tests of controls and substantive procedures Tests of transactions that both evaluate the effectiveness of controls and detect monetary misstatements ex: testing a sample of 25 recorded sales transactions controls operating effectively (approved price list was used) assertions are true (evidence of corresponding BOL to satisfy occurrent audit objective)
Internal controls
Processes designed to provide *management* with assurance that the company achieves its objectives and goals, such as: 1. *Reliability of financial reporting* 2. Effectiveness and efficiency of operations 3. Compliance with applicable laws and regulations Internal audits help management understand any risks within the company and what to do to fix them
Revenue recognition - realized
Product/service exchanged for cash, promise to pay (AR), or other assets convertible to cash
Revenue recognition
Revenues are inflows or other enhancements of assets of an entity or settlements of its liabilities (or combination of both) from delivering or producing goods, rendering services, or other activities that constitute the entity's major or central operation Revenue is recognized when *realized* and *earned* Realized = product/service exchanged for cash, promise to pay (AR), or other assets convertible to cash Earned = entity has substantially completed the earnings process (generally upon delivery of product or service provided)
What are US public companies responsible for in terms of Internal controls?
SOX requires that management issues an internal control report that includes: 1. A statement that management is responsible for internal controls 2. An assessment of the effectiveness of IC's as of year-end which assesses: a. Design of internal controls over financial reporting (created a system that effectively reduces risk?) b. Operating effectiveness of those controls (are the company's controls operating as per our expectations?) c. Whether management believes the controls are working or not
Test of details
STOTS and STOBS are sometimes called this
Sales journal
Special journal used for recording completed sales transactions. Entries are summarized in a sales journal voucher used to update the GL control account.
Sales order
Standardized document that captures such vital information as the name and address of the customer making the purchase; the customer's account number; the name, number, and description of the product; the quantities and unit price of the items sold; and other financial information (prepared internally)
Substantive tests of account balances (STOBS)
Test for monetary misstatements to determine whether balance-related assertions are true Focus on B/S: confirming AR balance, physical examination of inventory balance Should be conducted as close to the B/S date as possible (inv could be sold, AR collected, etc.)
Substantive tests of transactions (STOTS)
Test for monetary misstatements to determine whether transaction-related assertions are true Conducted throughout the year (period of time - 12 months) ex: testing a sample of recorded sales transactions Can be conducted jointly with tests of controls (*dual-purpose tests*)
Tests of controls
Test to determine whether internal controls are operating effectively Involves: 1. Make *inquiries* of appropriate client personnel (not strong by itself) 2. *Inspect* documents, records and reports 3. *Observe* control-related activities (better than inquiry, but people could only be doing something right because they're being watched) 4. *Reperform* client procedures *Exceptions found during tests of controls do not necessarily indicate a monetary misstatement*
Control Environment
The actions, policies, and procedures that reflect the overall attitudes of top management ("tone at the top") It is the foundation/forms basis for all other components of internal control An appropriate "tone at the top" is often evidenced by the implementation of effective management or "entity-level" controls
Materiality
The magnitude of an omission or misstatement of accounting information that makes it *probable* that the *judgement* of a *reasonable person* relying on the information would have been changed or influenced by the omission or misstatement
Engagement Risk
The risk that the auditor will suffer harm after the audit is finished Likelihood that the auditor will have to defend their work Factors affecting this: -Degree to which external users rely on F/S (client size, private vs. public) - Likelihood that the client has financial difficulties after the report is issued -Auditor's evaluation of management's integrity/motivations -Likelihood of litigation: if lawsuit is more likely, want to take on a smaller risk of getting the opinion wrong -Adverse/harmful publicity, or other events arising in connection with the audited financial statements -Fines
1. Obtaining an understanding of internal controls
Three commonly used methods: 1. Narrative - a written description PBC of client's internal controls (how they handle sales & liquidate to cash) - we request from client 2. Flowchart - a diagram PBC of the client's documents and their sequential flow/processes in the organization 3. Control questionnaire - a series of questions answered by the auditor about the controls in each audit area as a means to identify internal control deficiencies List of controls that the auditor expects to see - did management implement them? 4. To validate understanding - do a walkthrough - select one transaction type ("sale") and trace one example transaction from initiation through the entire accounting process
Accounts receivable subledger
Updated for a sale Sales return: Remittance advices --> AR sub ledgers --> AR summary
Qualitative assessments
We can't put an exact number to risk (DR/AR/IR/CR), so we discipline our thinking with words rather than numbers -High risk -Medium -Low
Cash prelist
Who paid us and how much; An Important independent verification control point in sales procedures - last opportunity to detect errors before shipment Purpose: every payment that came in was actually deposited and matches our records at the end of the day Ar sub ledger = deposit to bank = math sum from pre-list
If a company has a negative opinion on internal controls, can they still have an unqualified opinion on the F/S?
YES - can't assume anything based off of one opinion about the other
Materiality is a ______ rather than an _____ concept
relative; absolute ($10M misstatement to starbucks vs. local coffee)