Audit 3.5-3.8
Risk Assessment (4)
1. adoption of new accounting principles 2. New personnel 3. Incorporation of new technology 4. corporate restructuring
Tests of controls are generally required when? (3)
1. an entity conducts its business using IT 2. highly automated processing 3. audit evidence is obtained in electronic form
What 2 things are always required in an audit?
1. analytical procedures 2. risk assessment procedures
Existing control activities (4)
1. authorization of transactions 2. segregation of duties 3. measurement and recording of proper monetary values 4. Operating performance reviews
Test of controls are performed when? (2)
1. controls are operating effectively 2. information technology
Automated controls are suitable of what 2 things?
1. high volume or recurring transactions 2. control activities that can be adequately design and automated
3 times the auditor may have to disclose noncompliance to parties other than management
1. in response to inquires from an auditor to a predecessor auditor 2. in response to a court order 3. assistance from a government agency
5 procedures used to obtain evidence about the design and implementation of internal controls include:
1. inquiry of entity personnel 2. observation 3. inspection 4. observation of the entity's premises and plant facilities 5. walkthroughs
Monitoring
1. internal audit function
3 circumstances that would raise concern regarding the managements philosophy and operating style
1. management consumed with meeting budget 2. management dominated by one person 3. management compensation is contingent upon the entity financial performance
Control environment (3)
1. participation of those charged with governance 2. Assignment of authority, responsibility, & accountability 3. HR policies and practices 4.
Information and communication systems (2)
1. proper presentation of transactions and related disclosures 2.significant events captured by accounting systems
3 objectives of an internal controls
1. reliability of financial reporting 2. effectiveness and efficiency of operations 3. compliance with applicable laws and regulations
2 types of service audit reports
1. report on managements description of the service organizations system and the suitability of the design of controls 2. report on managements description of the service organizations system and the suitability of the design & operating effectiveness of controls
2 types(nature) of substantive procedures
1. test of details 2. substantive analytical procedures
While assessing the risk of material misstatement, what is the required documentation? (5)
1. the discussion among the audit team 2. key elements of the understanding of the entity and its environment 3. the assessment of the risk of material misstatement 4. the identified risks and related controls evaluated by the auditor 5. a more complex entity/environment results in more extensive audit procedures, which in turn should results in more extensive audit documentation
The auditor should obtain an understanding of what 2 things of noncompliance?
1. the legal and regulatory framework applicable 2. how the entity is complying with that framework
components of internal controls =
= CRIME
5 components of internal controls =
= CRIME 1. control environment 2. risk assessment 3. information and communication systems 4. monitoring 5. existing control activities
COPAL =
= Control group Operators Programmers Analyst Librarians
PAID TIPS =
= Prenumbered documents Authorized transactions Independent checks to maintain asset accountability Documentation Timely and appropriate performance reviews Information processing controls Physical controls for safeguarding assets Segregation of duties
AEIOU=
= auditors, external, internal, oral
FIND =
= flowchart, internal control questionnaire or checklist, narrative, and documentation from the client
IM A CPA =
= understanding Internal controls, risk of Material misstatement, respond to Assessed level of risk, test internal Controls, perform substantive Procedures, & evaluate the appropriateness of Audit evidence
Audit Evidence Hierarchy
AEIOU
An auditor's primary consideration in evaluating controls is whether specific controls:
Affect financial statement assertions.
In an audit of financial statements, an auditor's primary consideration regarding internal control is whether the control:
Affects management's financial statement assertions.
What is necessary in a financial statement audit?
An understanding of internal control relevant to an entity's financial reporting objective.
Who is responsible to follow GAAS?
Auditor
Who is responsible to obtain an understanding of internal controls?
Auditor
How would an auditor of a nonissuer most appropriately respond to a heightened assessed risk of material misstatement?
By assigning more experienced staff or those with specialized skills to high-risk areas.
the segregation of IT duties should be divided into what 5 categories?
COPAL
An auditor concludes that client management has been involved in noncompliance with a certain law and that this fact has not been properly accounted for or disclosed. The auditor should withdraw from the engagement if the:
Client refuses to accept the auditor's report as modified for the noncompliance.
The audit plan usually cannot be finalized until the:
Consideration of the entity's internal control has been completed.
When a service organization provides services that affect the initiation, execution, processing, or reporting of a user company's transactions, those services are:
Considered to be part of the user company's information system.
The overall attitude and awareness of those charged with governance (i.e., an entity's board of directors) concerning the importance of internal control usually is reflected in its:
Control environment.
In obtaining an understanding of the entity and its environment, including its internal control, an auditor is required to obtain knowledge about the:
Design of relevant internal controls pertaining to financial reporting in each of the five internal control components.
An audit client failed to maintain copies of its procedures manuals and organizational flowcharts. What should the auditor do in an audit of financial statements?
Document the auditor's understanding of internal controls.
Analytical procedures used in planning an audit should focus on: (2)
Enhancing the auditor's understanding of the client's business & Enhancing the auditor's understanding of the transactions and events that have occurred since the last audit.
The objective of tests of details of transactions performed as tests of controls is to:
Evaluate whether internal controls operated effectively.
Documenting the understanding of internal controls
FIND
Which level would most likely address the risk of material misstatement by the auditor's consideration of an entity's control environment?
Financial statements.
Analytical procedures during planning is required by who?
GAAS
Assessing the risk of material misstatements
IM A CPA
If an auditor's risk assessment is based on the effective operation of controls, the auditor will likely:
Identify specific internal controls that are likely to detect or prevent material misstatements.
In planning an audit, the auditor's knowledge about the design of relevant internal controls should be used to:
Identify the types of potential misstatements that could occur.
When the auditor's risk assessment is based on the effective operation of controls, the audit will most likely involve:
Identifying specific internal controls relevant to specific assertions.
Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been:
Implemented.
After testing a client's internal control activities, an auditor discovers a number of significant deficiencies in the operation of a client's internal controls. Under these circumstances the auditor most likely would:
Increase the assessment of control risk and increase the extent of substantive tests.
After performing risk assessment procedures, an auditor decided not to perform tests of controls. The auditor most likely decided that:
It would be inefficient to perform tests of controls that would result in a reduction in planned substantive tests.
The primary objective of procedures performed to obtain an understanding of the entity and its environment is to provide an auditor with:
Knowledge necessary for risk assessment and audit planning.
Who is responsible to follow GAAP?
Management
Management philosophy and operating style most likely would have a significant influence on an entity's control environment when:
Management is dominated by one individual.
When obtaining an understanding of an entity's internal controls, an auditor should concentrate on the substance of the controls rather than their form because:
Management may establish appropriate procedures but not enforce compliance with them.
The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that:
Material misstatements may exist in the financial statements.
Who is responsible for the detection of immaterial misstatements?
No one
What type audit techniques most likely would provide an auditor with the most assurance about the effectiveness of the operation of internal control?
Observation of client personnel.
Audit evidence concerning segregation of duties ordinarily is best obtained by:
Observing the employees as they apply control procedures.
As part of understanding internal control, an auditor is NOT required to:
Obtain knowledge about the operating effectiveness of internal control.
Control activities in a strong system of internal controls
PAID TIPS
An auditor should obtain sufficient knowledge of an entity's information system relevant to financial reporting to understand the:
Process used to prepare significant accounting estimates.
An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts:
Provide a visual depiction of client's activities.
In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor most likely would:
Review the entity's descriptions of inventory controls.
During an audit of a nonissuer's financial statements, an auditor should perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if:
Substantive procedures alone cannot provide sufficient appropriate audit evidence.
When there are numerous property and equipment transactions during the year, an auditor who plans to assess control risk at a low level usually performs:
Tests of controls and limited tests of current year property and equipment transactions.
When an auditor is to conduct an audit of a service organization, what considerations should the auditor make in the planning stages regarding internal controls of the organization?
The auditor should obtain an understanding of the effect of the user organization upon the service organization.
After obtaining an understanding of the entity and its environment, including its internal control, an auditor decided to perform tests of controls. This is likely because:
The auditor's risk assessment is based on the effective operation of controls.
If a budgetary reporting system provides adequate reports, but the reports are not analyzed and acted upon:
The control has been implemented but is not operating effectively.
What should be the primary criterion that should be considered in designing internal control?
The cost-benefit relationship
What is most likely to affect the extent of the documentation of the auditor's understanding of a client's system of internal controls?
The degree to which information technology is used in the accounting function.
What? is an important part of the organizational structure, which in turn is a key component of the control environment.
The suitability of the client's lines of reporting
The objective of performing analytical procedures in planning an audit is to identify the existence of:
Unusual transactions and events.
Duties should be segregated such that the work of one individual provides what?
a crosscheck on the work of another individual.
A narrative is a written version of what?a
a flowchart
Internal control questionnaires generally consist of what?
a list of yes or no questions
information and communication systems is?
a means of recording transactions and communicating responsibilities
No answers in internal control questionnaires typically represents what? & requires what?
a negative response & requires a written explanation
The auditors specific approach to identified risks at the relevant assertion level may consist of either what?
a substantive approach or combined approach
Interviewing and observing appropriate personnel to determine segregation of duties is what?
a test of controls.
Reviewing the service auditor's report on controls placed in operation would be the most efficient procedure when ?
an audit client uses a service organization for several processes.
Providing more supervision during an audit of a nonissuer in response to assessed risks of material misstatement at the financial statement level is an example of ?
an overall response.
If specific information concerning an act of noncompliance with laws and regulations comes to the auditor's attention, the auditor should what?
apply audit procedures specifically directed to ascertaining whether such an act has occurred.
monitoring is?
assessment of internal control performance over time
Clients internal controls should separate what 3 functions?
authorization, record keeping and custody of related assets
IT processing is inherently consistent, so it is possible to test only a few instances of the operations of an what?
automated control
Nature includes both what?
both its purpose (test of controls vs. substantive procedure) and its type (inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedure)
Who is responsible for the establishment of the timing of the audit?
both management and auditor
Who is responsible for coordinating clients assistance?
both management and auditors
An inherent limitation to internal control is the fact that controls can be what?
circumvented by management override.
Most common planning analytical procedure?
comparing FS to budgets
existing control activities is?
control policies and procedures
Tests of controls are required to support the auditor's assumption that?
controls are operating effectively.
The examination of client records documenting the use of EDP programs is a test of ?
controls.
An audit of financial statements is a what kind of process?
cumulative process.
In obtaining an understanding of an entity's internal control, an auditor is required to obtain knowledge about the ?
design of controls and whether they have been implemented
When an auditor assesses control risk at the maximum level, the assessment should be what? and the auditor should make a decision about what?
documented and the auditor should make decisions to potentially perform more substantive procedures.
when should evidence regarding the test of controls be obtains?
during the period of reliance
The auditor is not required to do what according to GAAS?
evaluate operating effectiveness as part of obtaining an understanding of internal control, and therefore need not document the basis for this decision.
The more complex the IT system, the more ? The less complex the IT system, more ?
extensive the documentation (such as flowcharts, narratives, questionnaires, decision tables, etc.) & limited documentation, such as a memorandum, may be sufficient.
control environment factors? (5)
factors include management's philosophy and operating style, the entity's organizational structure, the participation of those charged with governance, methods of assigning authority and responsibility, and human resource policies and practices.
What is the COSO framework?
for internal controls which reporesents a means used by an entity to help it achieve its objectives
The longer the period between the interim date and the period end, the?
greater the risk
When the status of internal control is none or weak, what is the risk level, do you perform control tests, & do you perform substantive procedures?
high, no unless there is heavy use of IT, & yes - maximum
Automated controls are more suitable than manual controls where transactions are what?
high-volume and recurring.
Client records documenting the use of EDP programs would be a relevant item for an auditor to examine while determining what?
if internal control is operating as designed.
Preparation of system flowcharts may aid in the auditor's understanding of internal control, but would not?
indicate whether controls were actually operating as designed.
The classes of transactions in the issuer's operations that are significant to the issuer's financial statements are typically assessed when the auditor is obtaining an understanding of the?
information and communication component of internal control.
General controls of information processing applies to what?
information processing throughout the company
The issuance of additional long-term debt with complex financial covenants increases what?
inherent risk
Program flowchart
initially created to document the logic and existing flow of a computer program
Observation by the auditor provides more assurance than audit evidence obtained by?
inquiry alone.
To obtain audit evidence about control risk, an auditor selects tests from a variety of techniques including: (4)
inspecting documentation, inquiry, observation, and reperformance.
Timing of an audit test may be performed when?
interim or period end
In considering whether the service auditor's report is satisfactory for the user auditor; the user auditor should do what?
make inquiries concerning the service auditor's reputation.
Risk assessment is by who?
management
Who is responsible for compliance with laws and regulations?
management
Who is responsible for the establishment of internal controls?
management
Who is responsible for the preparation of FS?
management
inherent limitation in internal control? (3)
management override, human error, & collusion
The best compensating control for the lack of segregation of duties in smaller organizations is to have more what?
management oversight of incompatible functions.
risk assessment is?
managements identification of risk
Substantive procedures are used to detect what?
material misstatements at the relevant assertion level
Is test pf operating effectiveness of controls required?
no
the nature of acts of noncompliance with laws and regulations having an indirect effect on the financial statements, the auditor provides what kind of assurance that such acts will be detected?
no
If an auditor wishes to perform a test of controls over a procedure that leaves no audit trail, then the auditor must use what 2 techniques?
observation and inquiry to test the control.
As the planned level of reliance on the operating effectiveness of a control increases, the auditor should do what?
obtain a more reliable or more extensive audit evidence
Assessing control risk may be performed concurrently during an audit with what?
obtaining an understanding of the entity's internal control.
The objective of tests of controls is to evaluate whether a control does what?
operated effectively.
If it would take less time or be more efficient to perform substantive tests than it would to perform tests of controls, and if there is no what?
other reason to test controls aka dont test controls
The control environment has what kind of effect on the auditors risk assessment?
pervasive
An auditor of a nonissuer should design tests of details to ensure that sufficient audit evidence supports the what?
planned level of assurance at the relevant assertion level.
Test of controls, not test of details, would support the what?
planned level of control risk.
In a well designed internal control environment, errors should be ?
prevented and/or detected by employees in the ordinary course of their job & business
In situations involving noncompliance, the auditor is not responsible for what?
preventing noncompliance and cannot be expected to detect noncompliance with all laws and regulations
Application controls apply to the what?
processing of individual transactions and help to ensure that transactions occurred, are authorized, and are completely and accurately processed and reported
report on managements description of the service organizations system and the suitability of the design & operating effectiveness of controls may do what?
provide evidence that would allow a reduction in the assessed level of control risk
report on managements description of the service organizations system and the suitability of the design of controls does not do what?
provide the user CPA for a basis for reducing the assessment of control risk
The auditor should design the audit to provide what kind of assurance that direct effect acts of noncompliance are detected?
reasonable
Detective controls are designed to provide what?
reasonable assurance that error or irregularities are discovered and corrected on a timely basis.
Preventive controls are designed to provide what?
reasonable assurance that only valid transactions are recognized, approved, and submitted for processing
The results of further audit procedures may lead to what?
reassess the risk of material misstatements
General controls are policies and procedures that what?
relate to many applications and support the effective functioning and proper operations of the IS.
The most efficient way to obtain information about the trust department's internal controls is to?
rely on the trust department's audit report on internal controls placed in operation and their operating effectiveness.
60% of the time, what is the fraud of choice?
revenue recognition
Considering whether control activities can have a pervasive effect on financial statement assertions is part of the auditor's ?
risk assessment process.
In designing test of details, the extent of substantive procedures generally refers to what?
sample size
System flowcharts
shows the origin of each document in the system, its subsequent processing, and its final disposition
Analysis, confirmation, calculations, analytical procedures and comparison are what kind of test?
substantive tests of account balances,
An auditor uses the knowledge provided by the understanding of internal control and the final assessed risk of material misstatement primarily to determine the nature, timing, and extent of the ?
substantive tests to be performed.
Controls that are tested only during interim period should be what?
supplemented by additional evidence for the remaining period
substantive procedures
test of details of transactions and balances and analytical review procedures designed to substantiate the account balances shown in FS.
If the auditor plans to rely on controls that have changed since they were last tested, the auditor should ?
test the operating effectiveness of such controls in the current audit.
When an entity transmits, processes, maintains, or accesses significant information electronically, factors unique to electronic processing may make it impractical or impossible to reduce detection risk to an acceptable level through substantive testing alone. In such cases, what should the auditor do?
tests of controls should be performed.
only those controls that are suitably designed to prevent or detect material misstatements are subject to what?
tests of operating effectiveness.
The auditor may conclude that withdrawal is necessary when the client does not take the remedial action that the auditor considers necessary in the circumstances, even when what?
the act of noncompliance with laws and regulations is not material to the financial statements
Entity level controls include controls related to what 3 things?
the control environment, the risk assessment process, and the policies over risk management practices
Management's philosophy and operating style is a factor in ?
the control environment.
Observation and inspection may be used to evaluate what?
the design of controls.
Internal control is relevant to who? (3)
the entity, its operating units, and its business functions.
The control environment sets the overall tone of the organization and is considered to be what?
the foundation for the other components of internal control.
The discovery of unexplained payments made to government employees would raise a question about what?
the occurrence of an act of noncompliance with laws and regulations.
control environment is?
the overall tone of the organization
Application controls of information processing applies to what?
the processing of individual transactions
Extent of an audit refers to what?
the quantity to be performed
The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of ?
the risk that material misstatements exist in the financial statements.
The control environment element of an entity's internal control relates to the tone of the organization, which includes what?
the tone of the organization, which includes human resource policies and practices.
Reports on internal control placed in operation and its operating effectiveness produced by the agent's own auditor would be an efficient means of obtaining information about what?
the transfer agent's internal controls.
When electronic data is not maintained indefinitely, the auditor must be careful to consider the appropriate what?
timing for audit tests, making sure that testing is performed while data is still available.
substantive procedures are ALWAYS required for each? (3)
transaction, account balances, and disclosures
If a control is applied on a transaction basis throughout the period, the auditor should what?
use sampling to test the control
What is the combined approach?
when both test of the operating effectiveness of controls and substantive procedures are used
WHen does a significant risk exist?
when inherent risk is exceptionally high
Can Prior audits be considered by the auditor in assessing control risk in the current audit.?
yes