Chapter 4 and 5

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

management at least one level above the people involved

"inconsequential" frauds should be reported to who?

financial statements to be materially misstated

a client's noncompliance with laws and regulations can also cause financial statements to be what?

walkthrough

a combination of inquiry of personnel, observation of an entity's operations, and document examination while tracing a single transaction through the entire audit trail from the beginning or the initiation of the transaction to its final inclusion in the financial statements

internal control deficiency

a condition that exists when the design or operation of a control does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion

significant deficiency

a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance

material weakness

a deficiency, or combination or deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis

relevant assertion

a financial statement assertion that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated

enterprise risk management (ERM)

a process effected by an entity's board of directors, management, and other personnel applied in strategy setting and across the enterprise that is designed to identify potential events that may affect the entity and to manage risks to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives

- title - responsibility of auditors and management - in accordance with PCAOB standards - definition of internal control over ICFR - inherent limitations - opinion - reference to opinion on financial statements - date of report

components of the auditor's report on internal control over financial reporting

- the company's organizational structure and management personnel - the sources of funding of the company's operations and investment activities - the company's significant investments - the company's operating characteristics, including its size and complexity - the sources of the company's earnings, including the relative profitability of key products and services, and key supplier and customer relationships

components of the nature of the company and related parties

- relevant industry, regulatory, and other external factors - the nature of the company and related parties - the effect of client computerized processing - the company's selection and application of accounting principles, including related disclosures - the company's objectives and strategies and those related business risks that might reasonably be expected to result in risk of MM - the company's measurement and analysis of its financial performance

components of understanding the client's business and its environment

the Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (COSO)

consisting of the FEI, AAA, IIA, IMA, and AICPA, group that debated internal control theory and definitions in 1992 and published an updated version in 2013

transaction-level controls

controls that relate to specific classes of transactions, account balances, and disclosures

- appointment, compensation, and oversight of the public accounting firm conducting the entity's audit - resolution of disagreements between management and the audit team - oversight of the entity's internal audit function - approval of nonaudit services provided by the public accounting firm performing the audit engagement

duties of the audit committee

- frauds involving senior managements or employees with internal control roles, along with any frauds that cause material misstatement - should be reported directly to those charged with governance, usually the entity's audit committee or its board of directors

examples of consequential frauds and who they should be reported to

nature: more effective tests timing: testing at year-end extent: more tests with higher sample size

if a lower detection risk is allowed, what does that mean for the nature, timing, and extent of the audit procedures?

enlist the cooperation of management and assist fraud examination professionals when bringing an investigation to a conclusion

if preliminary findings indicate fraud possibilities, what should auditors do?

existence, completeness, and valuation

relevant assertions to accounts recievable

existence, valuation, presentation and disclosure

relevant assertions to cash

control environment

sets the tone of the organization, the foundation for all other components of internal control and is influenced heavily by a company's management team

- periodic evaluation by internal auditing - supervisory review of controls - follow-up of reporting errors - follow up of customer complaints - audit committee inquiries

some common monitoring controls include:

control activities (C in CRIME)

specific actions taken by a client's management and employees to help ensure that management directives are carried out

completeness

starting with a source document and following it forward to the financial statements tests what assertion?

occurrence

starting with the financial report and following it backward to the source document tests what assertion?

detection risk

the likelihood that the auditors' substantive procedures will fail to detect a material misstatement that exists within an account balance or class of transactions

control risk

the likelihood that the client's internal control policies and procedures fail to prevent or detect a material misstatement

board of directors (specifically the audit committee)

the oversight provided to the entity by the ___ __ _____ provides the highest level of monitoring

audit risk

the probability that an audit team will express an inappropriate audit opinion when the financial statements are materially misstated (give an unmodified opinion on FS that are misleading because of material misstatements that the auditors failed to discover)

inherent risk

the probability that in the absence of internal controls, material errors or frauds could enter the accounting system used to develop financial statements

1) have two separate reports (one on the fairness of the entity's financial statements and a separate one on internal control over financial reporting) 2) combined report (one opinion on FS and the second on the effectiveness of ICFR)

two options available for reporting on internal control

accuracy

when repairs and maintenance expenses are recorded as additions to property, plant, and equipment accounts to keep expenses off the income statement, what management assertion is violated?

completeness

when shipments are made to an employee's friend and intentionally never recorded, what management assertion is violated?

cutoff

when shipments made in january (of the next fiscal year) are backdated and recorded as sales in december, what management assertion is violated?

inherent risk other meanings

- the susceptibility of the account to misstatement - a function of the nature of the client's business and strategy to achieve competitive advantage, the major types of transactions, and the effectiveness and integrity of its managers and accountants

1) overstating revenues and assets 2) understating expenses and liabilities 3) giving disclosures that are misstated or that omit important information

3 main ways that companies have caused financial statements to be misstated

- internal control questionnaire - narrative description - flowchart

3 means for documenting the audit team's understanding of internal control

1. authorization to execute transactions 2. recording transactions 3. custody of assets involved in the transactions 4. reconciliation of existing assets to recorded amounts

4 types of responsibilities that should be performed by different departments

- control environment (E) - risk assessment (R) - control activities (C) - monitoring (M) - information and communication (I) CRIME

5 components of a properly designed internal control system

1. planning the engagement 2. using a top-down approach 3. testing controls 4. evaluating identified deficiencies 5. wrapping up 6. reporting on internal control

6 step audit process that is designed to evaluate the effectiveness of the internal control system over financial reporting

internal control

A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting, the effectiveness and efficiency of operations, and compliance with applicable laws and regulations

follow up on suspected violations material to the financial statements

auditor's responsibility for indirect-effect noncompliance

- aggressive attitudes - high turnover - known history of violations - decisions are dominated by an individual or a small group - managers engage in frequent disputes with auditors

Examples of the management characteristics/influences that might indicate increased risk of fraudulent financial reporting

- company profits lag those of its industry - market is saturated due to competition - declining/rapidly changing industry

Examples of industry conditions that might indicate increased risk of fraudulent financial reporting

- weak internal control - insufficient cash flows - pressure to obtain capital - personnel are inexperienced - significant transactions/balances that contain estimates that are difficult to audit - significant and unusual related-party transactions

Examples of operating characteristics and financial stability that might indicate increased risk of fraudulent financial reporting

Completeness

Which assertion are these internal control activities implemented for? - check invoices with shipping document in A/R ledger

Existence

Which assertion are these internal control activities implemented for? - the CFO performs a detailed review of the bank reconciliation on a monthly basis - check sales order and shipping document to make sure sales were earned and a customer owes a balance

Valuation

Which assertion are these internal control activities implemented for? - the treasurer reviews the cash translation adjustment calculation monthly and independently checks that the appropriate spot rate has been used for each foreign currency -management evaluates the collectability of delinquent receivables on a timely basis

extent

_____ of an audit procedure refers to the number of tests performed

nature

______ of an audit procedure refers to the type of procedure (observation, recalculation, inquiry) and the purpose of the procedure (test of controls, substantive procedures)

timing

______ of an audit procedure refers to when the audit procedures will be completed

management's annual report on internal control over financial reporting

a report required by the Sarbanes-Oxley Act that states that management is responsible for establishing and maintaining adequate internal control over financial reporting, identifies the framework management uses to evaluate the effectiveness of the entity's internal control, and provides management's assessment of the effectiveness of the entity's internal control

fraud risk

a special case of the risk of MM related to those situations where management intended to mislead the marketplace by issuing fraudulent financial statements

audit committee

a subcommittee of the board of directors that is generally composed of 3-6 "outside" members of the organization's board of directors

embezzlement

a type of fraud involving employees or nonemployees wrongfully taking money or property entrusted to their care, custody, and control, often accompanied by false accounting entries and other forms of lying and cover-up

- integrity and ethical values of management - board of directors exercising oversight to FR and IC - management supporting ICFR - FR competencies - human resources

a well-functioning internal control environment is characterized by philosophies such as:

- ongoing and separate evaluations to ensure that internal control continues to function over time - reporting deficiencies and identified and communicated corrective action

a well-functioning monitoring system is characterized by:

all members = financially literate one member = financial expert

all members of the audit committee must be _____, and one member must be a ______

significant account or disclosure

an account or disclosure that has a reasonable possibility of containing a material misstatement individually or when aggregated with others regardless of the effect of controls

dual-purpose test

an audit procedure that can be used as both a test of controls and a substantive test

information system

an entity's system, usually built on some type of technological platform that has been designed to produce the information necessary for the entity to operate and control its business operations

defalcation

another name for employee fraud, embezzlement, and larceny, also called misappropriation of assets

business risks

any risks that could adversely affect a company's ability to achieve its objectives and execute its strategies

no, only as it affects the financial statements. They are not responsible to detect all fraud but are responsible to detect cases where fraudulent activity results in materially misstated financial statements

are audit teams concerned with all fraud?

Phase 3: identify controls to test and perform test of controls

at this stage of internal control evaluation, audit teams have already identified specific control activities for relevant assertions on which risk could be assessed below the maximum (100%), which controls the audit team intends to rely

management letters

audit teams often issue these in addition to a internal control report which contains commentary and suggestions on a variety of matters (operational/administrative efficiency, business strategy, profit-making possibilities)

design procedures to provide reasonable assurance

auditor's responsibility for direct-effect noncompliance

1. for public companies, audit and issue an opinion about the effectiveness of internal control over financial reporting (ICFR) 2. evaluate whether control are in place to mitigate each fraud risk 3. assess control risk to determine the nature, timing and extent of substantive procedures to be performed

auditor's responsibility for internal control

incompatible responsibilities

combinations of responsibilities that place a person alone in a position to create and conceal misstatements due to errors or frauds in their normal job

exception testing

designed to identify a violation of a particular control activity through the use of an automated test procedure designed to test all items in a population

DR = AR / (IR x CR)

detection risk equation (also read and know image)

design effectiveness

determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements

nonpublic entity audits don't need to test the operating effectiveness of controls if they are not planning on relying on them, public entity audits are much more extensive

difference between testing the operating effectiveness of internal controls for nonpublic and public entities

IC: opinion on the effectiveness of internal control FS: no opinion on internal control

difference between the reporting of the internal control audit and the financial statement audit

IC: test each relevant control activity each year FS: test relevant control activities if relying on them

difference between the scope of the internal control audit and financial statement audit

the audit of internal control is as of the end of the fiscal year, whereas, for audits of the financial statements, the audit team must understand and evaluate internal control for the entire period

difference between timing for the audit of internal control and audit of financial statements

- industry developments (can't keep up with change) - new products/services (not being successful) - expansion of business (inaccurate demand estimate) - effects of implementing a strategy - financing requirements (loss of financing)

examples of situations in which business risks might result in material misstatement

- the environment in which the company operates (its "control environment") - the existence (or lack thereof) and effectiveness of control activities - monitoring activities (audit committee, internal audit function, etc)

factors affecting control risk

- dollar size of the account (higher = greater chance of fraud) - liquidity (greater = more susceptible) - volume of transactions (higher = greater chance) - complexity of transactions (more complex = greater chance) - subjective estimates (more fraud than objective ones)

factors that are related to the susceptibility of accounts to misstatement or fraud

1. develop an expectation 2. define a significant difference 3. compare expectation with the recorded amount 4. investigate significant differences 5. document each of the preceding steps

five steps to perform when completing analytical procedures

1. inquiry 2. observation 3. document examination 4. reperformance

four methods of testing controls, from least to most persuasive

1. performance reviews 2. separation of duties 3. physical controls 4. information-processing controls

four types of control activities

white-color crimes

fraud perpetrated by people who work in offices and steal with a pencil or from a computer terminal, the contrast is with violent street crime

audit risk is evaluated at both the overall financial statement level (as a whole) and for each significant account and disclosure through a focus on the relevant assertions identified

how is audit risk evaluated?

nature: less effective tests timing: testing at interim extent: fewer tests with lower sample size

if a higher detection risk is allowed, what does that mean for the nature, timing, and extent of the audit procedures?

1) the reporting objectives of the engagement and the nature of the communications required by auditing standards 2) the factors that are significant in directing the activities of the engagement team 3) the results of preliminary engagement activities and the auditor's evaluation risk assessment

in establishing the overall audit strategy, the auditor should take into account:

the closer the procedures are performed to year-end, the more effective they are because there is less chance of a MM occurring between the interim confirmation date and year-end

in reference to the timing of procedures, when are the procedures more effective?

audit committees

independent, outside members of the board of directors (those not involved in the company's day-to-day operations) who can provide a buffer between the audit firm and management, all companies with securities traded on the exchanges are required to have them

- investigations, fines, or penalties - inadequate audit trail - media comment - failure to file tax returns - unusual payments/transactions - excessive sales commissions or agent's fees

indicators of a company's noncompliance

- discussions with engagement personnel - procedures to identify and assess risk - significant decisions during discussion - specific risk identified and audit team responses - explanation of why improper revenue recognition is not a risk - results of audit procedures, particularly procedures regarding management override - other conditions causing auditors to believe that additional procedures are required - communications to management and those charged with governance, such as the audit committee

items that must be documented in the risk assessment process include:

- human error - collusion - deliberate circumvention - management override - cost/benefit analysis (trade-off between the cost and effectiveness of internal controls) - reasonable assurance (the cost of an entity's internal control should not exceed the benefits)

limitations of internal control

low: .1 - .45 moderate: .4 - .7 slightly below max: .6 - .95 max: 1

low, moderate, slightly below the max, and max control risk numerical categories

1. establishing and maintaining adequate internal control over financial reporting 2. assessing and reporting on the effectiveness of internal control over financial reporting

management responsibility for internal control

risk assessment (R in CRIME)

management's identification and analysis of relevant risks to achievement of its objectives

Monitoring (M in CRIME)

management's process that assesses the quality of the internal control's performance over time

- reviewing the board of directors' meeting minutes - making inquiries of key executives - reviewing stock ownership records

methods for identifying related-party transactions

operating deficiency

occurs when a properly designed control is either ignored or inappropriately applied

Phase 1: understand and document the client's internal control Phase 2: Assess the control risk (preliminary) Phase 3: Identify controls to test and perform test of controls

phases of internal control evaluation

authorized personnel

physical access to assets and important records, documents, and blank forms should be limited to who?

detective controls

procedures that detect misstatements after they occur

preventive controls (preferable to detective controls)

procedures that prevent misstatements before they occur (those that ensure hiring competent people, limiting access, requiring approval, separating duties)

to provide a buffer between the audit team and the operating team of the company, which allows the audit team to report any controversial findings to members of the board of directors without fear or reprisal

purpose of the audit committee being composed of mostly independent members

analytical procedures

reasonable tests; auditors compare their expectation for each of the account balances with those recorded by management, procedures that allow auditors to evaluate financial information by studying relationships among both financial and nonfinancial data

operating effectiveness

refers to whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively

design deficiency

relates to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control's objective

audit plan

summarizes all of the important planning information and serves to document that auditors have followed GAAS, lists the audit procedure to be completed for each relevant assertion related to each significant account and disclosure identified on the audit engagement

red flags

telltale signs and indications that have accompanied many frauds that have occurred in the past

fraud

the act of knowingly making material misrepresentations of fact with the intent of inducing someone to believe the falsehood and act on it, and thus, suffer a loss or damage

accounting estimates (ex- valuation of investment securities, NRV of A/R, depreciation, goodwill, pension expense, warranty liabilities)

the approximations of financial statement numbers often included in financial statements

narrative description

the audit documentation that describes the environmental elements, the accounting system, and the control activities in an entity's internal control

flowchart

the audit documentation that provides a visual display of the accounting system and control activities in an entity's internal control system

internal control questionnare

the audit documentation that uses a checklist of internal control - related questions to gain and document an understanding of the client's internal control

extended procedures

the audit procedures used in response to heightened fraud awareness as the result of the identification of significant risks

a material misstatement that was discovered during the previous audit

the best indicator of the risk of a material misstatement in the year under audit is...

risk of material misstatement (RMM)

the combined inherent and control risk; in other words, the likelihood that material misstatements may have entered the accounting system and not been detected and corrected by the client's internal control

vertical analysis

the common-size analysis of financial statement amounts created by expressing amounts as proportions of a common base such as sales for the income-statement accounts or total assets for the balance-sheet accounts

horizontal analysis

the comparative analysis of year-to-year changes in balance sheet and income statement accounts

entity-level controls

the controls that are pervasive to the financial statements taken as a whole

management fraud

the deliberate fraud committed by management that injures investors and creditors through materially misleading information

substantive procedures

the detailed audit and analytical procedures designed to detect material misstatements in account balances and footnote disclosures

fraudulent financial reporting

the intentional or reckless conduct, whether by act or omission, that results in materially misstated financial statements, sometimes used simultaneously with management fraud

audit strategy memorandum

the scope, timing, and direction for auditing each relevant assertion based on the results of the audit risk model, becomes the basis for preparing the audit plan

larceny

the simple theft of an employer's property that is not entrusted to an employee's care, custody or control

integrated audit

the term used to describe both an audit process that is designed to provide an opinion on both the financial statements and the internal control system of an entity

1. financial reporting 2. operations 3. compliance

the three categories of management objectives in which internal control is designed to satisfy

employee fraud

the use of fraudulent means to take money or other property from an employer (usually involves falsifications of some kind, using false documents, lying, exceeding authority, or violating an employer's policies)

indirect-effect noncompliance (ex- violations relating to insider securities trading, occupational health and safety, FDA regulations, environmental protection, equal employment opportunity)

the violations of laws and regulations that does not directly affect specific financial statement accounts or disclosures

direct-effect noncompliance (ex- violations of pension laws or government contract regulations for revenue and expense recognition)

the violations of laws or government regulations by the entity of its management or employees that produce direct and material effects on dollar amounts in financial statements

related parties

those individuals or organizations that can influence or be influenced by decisions of the company, possibly through family ties or investment relationships

significant risks (fraud risks are always significant)

those risks that require special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk

1. Management's characteristics and influence 2. Industry conditions 3. Operating characteristics and financial stability

three categories of factors that might indicate increased risk of fraudulent financial reporting

1) the fraudulent act 2) the conversion of the funds or property to the fraudster's use 3) the cover-up

three phases of employee fraud

1. unqualified (no material weaknesses exist) 2. disclaimer (unable to determine whether material weaknesses exist) 3. adverse (one or more weaknesses exist

three types of opinions for internal control

1) testing all items in a population (uses exception testing) 2) testing a sample from a population (must include all occurrences of the relevant control activity for the entire period, and must be representative)

two approaches for selecting items for tests of internal controls

document examination

type of test for internal control: involves evidence of signatures, initials, checklists, reconciliations

observation

type of test for internal control: occurs when auditors have eyewitness observation of employees at their jobs performing control activities (ex- use of password-secured access, locked doors, security guards)

reperformance

type of test for internal control: the auditor would follow up on each reconciling item reviewed by the CFO and then reperform each of the mathematical calculations

inquiry

type of test for internal control: used to find about the existence of control activities and then corroborate the oral evidence by observing that the client-described control activities are actually being performed

general business sources - specialized trade magazines and journals (Forbes, Fortune, WSJ) - specific info about public companies found in registration statements and 10-K reports filed with the SEC company sources - corporate charter and by laws - contracts, agreements, and legal proceedings - minutes of meetings

types of general business and company sources used for gathering info and preliminary analytical procedures

errors

unintentional misstatements or omissions of amounts or disclosures in financial statements

- the internal control system is too ineffective in preventing misstatements to rely upon to justify reductions in substantive testing - it may take more time to test controls than it would to just perform more substantive testing (auditors of public companies must test controls)

what are the reasons as to why an auditor may not choose to test controls?

- made it so auditors must inform the organization's board of directors when they believe an illegal act more than "clearly inconsequential" has or may have occurred

what did the Private Securities Litigation Reform Act of 1995 do?

to obtain the evidence needed to determine whether "related parties and relationships and transactions with related parties have been properly identified, accounted for, and disclosed in the financial statements"

what is the auditor's primary objective in regard to related parties?

- build personal working relationships - observe the competence and integrity of client personnel - obtain a general understanding of the client or company - probing for problem areas that could harbor financial misstatements

what is the purpose of interviewing the entity's management, internal auditors, directors, audit committee and other employees?

- critical areas are discussed - first objective: update audit team members on important aspects of the audit and heighten team members' awareness of the potential fraud and errors - second objective: set a proper tone for the engagement

what occurs during a required brainstorming session during the risk assessment process?

performance reviews

what type of control activity requires management's active participation in the supervision of operations, such as management's study of budget variances with follow-up action?

there's an inverse relationship between detection risk and RMM - the greater the risk of MM, the lower the detection risk that auditors could allow in order to maintain the level of audit risk with which they feel comfortable)

what type of relationship exists between detection risk and RMM?

control risk - they cannot create or manage control risk - they can only evaluate an entity's internal control system and assess its magnitude in an appropriate manner

what type of risk do auditors have no effect on?

1) the likelihood and 2) materiality that a potential (or actual) misstatement would not be detected on a timely basis

what's the difference between a significant deficiency and a material weakness?

accuracy

when a company "short ships" a shipment to a customer and bills the customer for the full amount ordered, what management assertion is being violated?

classification

when a loan to a company's CEO (not permitted under Sarbanes Oxley) is classified as an account receivable to conceal the transaction, what management assertion is violated?

occurrence

when fictitious sales are recorded and charged to nonexistent customers, what management assertion is violated?

presentation and disclosure

when management fails to disclose litigation against the company, what management assertion is violated?

1. occurrence 2. accuracy 3. completeness

which financial statement assertion is supported by these information processing controls? 1. purchase orders must be authorized by purchasing department before any purchase is made 2. all invoices received from vendors for payment must be matched to receiving report and purchase order to ensure that the quantity billed agrees with the quantity ordered and received at previously agreed-upon prices 3. prenumbered documents must be used and accounted for to ensure that all transactions have been recorded

Phase 1: understand and document the client's internal control

which phase of internal control evaluation involves obtaining an overall acquaintance with the control environment and management's risk assessment, the flow of transactions through the accounting system, and the design of some client control activities?

Phase 2: assess the control risk (preliminary)

which phase of internal control evaluation involves the audit team members establishing an assessment of the level of control risk and identifying control strengths and weaknesses?

- addressed to management, the board of directors, or the audit committee - for public entities, the auditors' report must be in writing and presented to those in charge of governance (usually the audit committee) before their report on internal control over financial reporting is issued to the public

who is the internal control report to be issued to?


Ensembles d'études connexes

Wong Ch 16:Health Problems of School-Age Children and Adolescents

View Set

Cumulative Exam : Health and Wellness

View Set

Microsoft Excel LinkedIn Skill Assessment

View Set

Chapter 10 - Family Dynamics (Exam #6)

View Set