2. Assessing Risk and Developing a Planned Response(1)
Which of the following internal controls most likely would reduce the risk of diversion of customer receipts by an entity's employees?
A bank lockbox system assures accountability control as cash enters the client's cash receipts system.
According to US GAAS, all of the following statements about interpretive publications are true,
An auditor is required to consider [should consider] applicable interpretive publications in planning and performing an audit. The other answer alternatives are all true statements.
Which of the following questions would an auditor most likely include on an internal control questionnaire for notes payable?
Approved borrowings by the board of directors indicate that transactions must be approved before the recording and custody functions can take place. This is also performed by a party independent of the recording and custody functions.
Which of the following questions would most likely be included in an internal control questionnaire concerning the completeness assertion for purchases?
Assertions about completeness deal with whether all transactions and accounts that should be presented in the financial statements are so included. One step in assuring this is the periodic reconciliation of prenumbered purchase orders, receiving reports, and vouchers.
Proper segregation of duties reduces the opportunities to allow persons to be in positions to both
Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of their duties.
Which of the following types of control best describes procedures to ensure appropriate systems software acquisition?
"General" controls best describe procedures to ensure appropriate systems software acquisition. General controls are policies and procedures that help define and support many applications, including the company's information systems.
A system that provides vendor and customer access to each other's internal computer data to facilitate service, deliveries, and payment is called
Electronic data interchange is a method of conducting routine business transactions, such as inventory purchases. It relies on standardized guidelines that everyone can use. Distributed processing is an allocation of various processing tasks to various business divisions, with some tasks centralized and some decentralized. Electronic mail (email) refers to the electronic transmission of messages, including attached files from programs unrelated to the email software. A time-sharing center rents time on a central computer to several entities, with each entity having remote input and output devices. To each entity, it seems as if it is the only one using the system.
Which of the following computer documentations would an auditor most likely utilize in obtaining an understanding of internal control?
An auditor is likely to use systems flowcharts in obtaining an understanding of internal control. Systems flowcharts show the flow of data through the system and the interrelationships between the processing steps and computer runs. A record count is an input control technique. Program listings are the source statements or language of the client's programs. Record layouts are the input and output formats.
When should an auditor test an indirect control?
An auditor should test an indirect control when the control being testing depends upon another control and the auditor determines it is also necessary to obtain audit evidence about the operating effectiveness of that control.
Which of the following audit procedures would be most appropriate to test the valuation of the collateral of a delinquent loan receivable?
Obtaining a current value appraisal of the collateral would be the most appropriate audit procedure to test the valuation of the collateral of a delinquent loan receivable. If the auditor is not competent enough to execute this task, he may engage a specialist to do the same.
To obtain evidence that online access controls are properly functioning, an auditor most likely would
Password controls, used in restricting access to computers, are designed to preclude access capabilities of those employees whose regular functions are incompatible with computer use. To obtain evidence that user identification and password controls are functioning as designed, an auditor would most likely examine a sample of invalid passwords or numbers to determine whether the computer is recognizing the invalid passwords and rejecting access.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
Physically secure hardware devices are less likely to be compromised than software. For example, having a password sent to your phone to authenticate that you are indeed Jane Doe is preferred in ensuring proper authentication and permission(s) to an EDI system. Message authentication provides assurance about messages' sources. Encryption provides assurance about privacy. Message authentication performs similarly to control duties in non-IT systems, but not the segregation of duties aspect. Service providers usually do not provide security at the transaction level.
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control?
While incompatible duties can be segregated and therefore controlled, the possibility of management override and collusion among employees to circumvent controls will still exist. Mistakes in judgment also cannot be controlled.
As a result of control testing, a CPA has decided to reduce control risk. What is the impact on the substantive testing sample size if all other factors remain constant?
A CPA has decided to reduce control risk, so the substantive testing sample size would be lower. The CPA has reduced control risk and can afford a higher detection risk and will be satisfied with a smaller, less time-consuming sample size during substantive testing. With lower control risk, an auditor can afford a higher detection risk and use a smaller sample size.
Which of the following is a complete and accurate list of the walk-through procedures usually performed in an issuer's integrated audit?
A Walk-through is following a transaction process right from the start to end to understand how the transaction is processed as it passes through various steps until it is finally reported on financial statements. It helps in developing an understanding of the design of internal controls and involves the following procedures: Inquiry of management, internal auditors, Those Charged with Governance, other employees within the entity. Observation of control procedures as they are performed. Inspection of relevant documents such as control descriptions and control flow charts. Re-performance of controls. Sampling & Analytical procedures are used in the test of details. Test of Controls involves assessing the design and operating effectiveness of controls and walkthroughs are done to assess the design of controls. As such, walkthroughs are used in the testing of controls, and testing of controls is not a procedure within a walkthrough.
In testing controls over cash disbursements, an auditor most likely would determine that the person who signs checks also
A control for cash disbursements is for the person who signs the checks to compare them to supporting documents, cancel the documents, and to mail the checks. The person who signs checks should have access to the supporting documents in order to validate their legitimacy. Reconciliation of the monthly bank statement is a control that should be done by a person independent of cash transactions. Checks should not be returned or given to anyone with cash disbursement responsibilities. (Editor note: Think about this, if you were a check signer for an organization, wouldn't you want to see some documentation that "backs up" the check you're signing for?)
A senior auditor conducted a dual-purpose test on a client's invoice to determine whether the invoice was approved and to ascertain the amount and other terms of the invoice. Which of the following lists two tests that the auditor performed?
A senior auditor conducted a dual-purpose test on a client's invoice to determine whether the invoice was approved and to ascertain the amount and other terms of the invoice. He/she concurrently performed tests of controls and tests of details. Tests of controls - Checks performed to verify whether internal controls are working and are strong. Tests of details - Substantive procedures that verify different assertions in the financial statements - E.g., Inspection, Existence/Occurrence, etc.
The controller of a small utility company has interviewed audit firms proposing to perform the annual audit of their employee benefit plan. According to the guidelines of the Department of Labor (DOL), the selected auditor must be
According to the guidelines of the Department of Labor (DOL), the selected auditor performing the annual audit of the company's employee benefit plan must be independent for purposes of examining financial information required to be filed annually with the DOL. The selected auditor may be a customer of the utility company, does not have to be on any approved list of firms, and does not have to be the lowest fee bidder for the work required.
An auditor who is testing IT controls in a payroll system would most likely use test data that contain conditions such as
An auditor testing IT controls in a payroll system most likely would use test data containing time tickets with invalid job numbers. The computer should be programmed to compare job numbers on the time tickets with a list of valid authorized job numbers. IT controls would not detect a lack of authorization, lack of approval, or unauthorized signatures.
Which of the following procedures represents a weakness in internal controls for payroll?
An important internal control is the separation of the duties of authorization, record keeping, and custody. As the payroll department prepares the payroll (record keeping) and has custody of the related assets, a payroll clerk is in a position to both perpetrate and conceal misappropriation of assets. Having the accounting department wire transfer funds (authorization) based on total from a payroll summary (record keeping) may be unusual, but the two mentioned types of duties are separated. With the treasurer supervises the use of a signature plate (custody) by the payroll department to prepare checks (record keeping), segregation of duties is maintained. With the chief financial officer signing checks (custody) prepared by the payroll department (record keeping), segregation of duties is maintained.
Which of the following statements is correct concerning analytical procedures used in planning an audit engagement?
Analytical procedures performed as risk assessment procedures, i.e., analytical procedures used to plan the audit, often use data aggregated at a high level. The objective is to identify the existence of unusual transactions or events and amounts, ratios, and trends that might indicate matters that have financial statement and audit planning ramifications. Analytical procedures are not used to replace tests of controls. Analytical procedures can be used as substantive tests to obtain audit evidence about particular assertions (which is not part of the planning stage). Substantive analytical procedures often involve the comparison of expectations developed by the auditor (not assertions developed by management) to recorded amounts (or ratios developed from recorded amounts) to achieve an audit objective related to a particular assertion made by management.
Which of the following procedures would an auditor most likely perform to test controls relating to management's assertion about the completeness of cash receipts for cash sales at a retail outlet?
Assertions about completeness are tested by testing whether or not all cash is recorded. If employees consistently use cash registers and tapes, it is likely that all cash is recorded. Inquiry about employees' access to undeposited recorded cash, comparing the cash receipts journal to the general ledger, and comparing the cash balance in the general ledger with the bank confirmation request, only test assertions about recorded cash.
Sound internal control procedures dictate that immediately upon receiving checks from customers by mail, a responsible employee should
By immediately recording the receipt of the checks, the employee provides evidence of the existence of cash.
The acceptable level of detection risk is inversely related to the
Detection risk relates to substantive audit procedures and is managed by the auditor's response to the risk of material misstatement (RMM). For a given level of audit risk, detection risk should bear an inverse relationship to the RMM at the relevant assertion level. As the RMM increases, the level of detection risk that can be accepted by the auditor decreases (and the need for the assurance provided by substantive tests increases). Likewise, as the RMM decreases, the level of detection risk that can be accepted by the auditor increases. (However, the auditor should perform substantive procedures for all relevant assertions related to material classes of transactions, account balances, and disclosures regardless of the assessed level of risk.) Regarding incorrect answer B., the risk of misapplying audit procedures is a part of detection risk. Regarding incorrect answer C., the preliminary judgment about materiality levels provides a basis for, i.e., is made prior to, the auditor's identification and assessment of the RMM. Thus, as detection risk is set by the auditor in response to the RMM, the setting of the preliminary materiality levels is unrelated to detection risk. Moreover, the judgment about what constitutes a material misstatement is not related to the determination of the degree of risk the auditor is willing to accept that a material misstatement will be undetected. Regarding incorrect answer D., the risk of failing to discover material misstatements during an audit is detection risk.
During the planning phase of an audit the auditor should
During the planning phase the auditor should consider whether specialized skills are needed in performing the audit. If so, the auditor should seek assistance. Someone possessing these skills may either be on the auditor's staff or an outside professional. The auditor should have sufficient knowledge to communicate the objectives of the other professional's work; evaluate whether the specified audit procedures will meet the auditor's objectives; and evaluate the results of the audit procedures applied as they relate to the nature, timing, and extent of further planned audit procedures.
In the integrated audit of an issuer, an auditor has identified entity-level controls that are important to the conclusion as to whether the company has effective internal control over financial reporting. Each of the following is an example of an entity-level control, except
Entity level controls are those controls that affect pervasively the financial statements of an entity as a whole and affect many assertions as opposed to control over one specific transaction or account balance. Entity level controls include: Controls over management override The entity's risk assessment process Controls that monitor other controls such as an Internal Audit Controls over the period-end financial reporting process Controls that affect significant business risk Controls over the completeness of deposited cash is a control over one specific process or transaction and, as such, is an activity level control and not an entity-level control.
Which of the following procedures would an auditor most likely include in developing the overall audit strategy of a financial statement audit?
Of the procedures listed, an auditor is most likely to determine the extent of involvement of the client's internal auditors in developing the overall audit strategy of a financial statement audit. A representation letter from the client's management (and, when appropriate, those charged with governance) is obtained at the end of an audit, not the beginning—it should be as of the date of the audit report on the financial statements. Examining documents and considering the reasonableness of estimates are procedures performed during the audit.
In designing written audit programs, an auditor should establish specific audit objectives that relate primarily to the
Once the audit strategy has been established, the auditor is able to start the development of a more detailed audit plan [audit programs] to address the various matters identified in the audit strategy, taking into account the need to achieve the audit objectives. The documentation of the audit plan via audit programs should include descriptions of the nature, extent, and timing of planned further audit procedures at the relevant assertion level. The other answer alternatives are all considerations of the procedures necessary to satisfy the audit objectives.
Which of the following represents an inherent limitation of internal controls?
One of the inherent limitations of internal control is the inappropriate management override of controls. An example of this would be if the CEO can request a check with no purchase order. The other answer alternatives describe weaknesses in internal control, but they are not inherent limitations. Inherent limitations are intrinsic—the incorrect answers are examples of failures in internal control that can be remedied.
Which of the following methods of testing application controls utilizes a generalized audit software package prepared by the auditors?
Parallel simulation involves creating a model of the EDP system to be tested. The auditor reviews the application system to gain an understanding of its functioning and then utilizes a generalized audit software package to create a model or simulation of the application processing. In program code checking, the auditor reviews the client's program documentation, including a narrative description and source code. In controlled reprocessing, the auditor maintains control over the reprocessing of previously processed results using a version of the program the auditor has tested, and compares the computer output of the original processing and reprocessing. An integrated test facility includes processing of dummy records with the client's records using the client's program.
Which of the following factors would a CPA ordinarily consider in the planning stage of an audit engagement?
Planning involves the development of an overall strategy for the expected conduct, organization, and staffing of the audit. The auditor must plan the audit to be responsive to the assessment of the risk of material misstatement. In establishing the overall audit strategy, the auditor should consider the important factors that will determine the focus of the audit team's efforts, such as the determination of appropriate materiality levels; preliminary identification of areas where there may be higher risks of material misstatement; preliminary identification of material locations and account balances; evaluation of whether the auditor plans to perform tests of controls; and identification of recent significant entity-specific, industry, financial reporting, or other relevant developments.
Which of the following fraudulent activities most likely could be perpetrated due to the lack of effective internal controls in the revenue cycle?
Segregation of duties prevents an employee from committing fraud and subsequently concealing it. Proper segregation of duties separates the functions of record keeping, custody and authorization.
Which of the following best represents a key control for ensuring sales are properly authorized when assessing control risks for sales?
Sending sales orders to the credit department for approval is a key control for ensuring that sales are properly authorized. Although the billing and cash receipts departments should be separate (to reduce the opportunity for any one person to both perpetrate and conceal fraud or errors in the normal course of their duties), their separation does not impact whether sales are properly authorized. Use of an approved price list is a control to ensure the accuracy of sales transactions rather than proper authorization. The receipt of approved sales orders by the shipping, billing, and accounting departments occurs after the fact.
When obtaining an understanding of the entity and its environment, the auditor should obtain an understanding of the nature of the entity. In relation to this, the matter least likely to be considered is
Taxation is an example of a matter the auditor may consider when obtaining an understanding about external factors; rather than a matter related to the nature of the entity.
Which of the following procedures would a CPA most likely perform in the planning stage of a financial statement audit?
The auditor is required to perform analytics in the planning stage of the audit. These procedures assist the auditor in planning the nature, extent, and timing of substantive tests; thus, they should focus on enhancing the auditor's understanding of the client's business and the transactions and events that have occurred since the last audit and identifying areas that may represent specific risks relevant to the audit. Analytics involve comparisons of recorded amounts or ratios developed from recorded amounts to expectations developed by the auditor. Comparison of recorded financial information with anticipated results from budgets and forecasts is appropriate for this planning stage. Representations from management are dated the same date as the auditor's report. Communication regarding the prior year's audit adjustments typically occurs near the end of the audit for that year. Inquiry of the client's attorney tends to occur after the planning stage, as part of the substantive tests.
Which of the following circumstances most likely would cause an auditor to consider whether material misstatements exist in an entity's financial statements?Which of the following circumstances most likely would cause an auditor to consider whether material misstatements exist in an entity's financial statements?
The auditor most likely would consider whether material misstatements exist when transactions selected for testing are not supported by proper documentation. Reduced emphasis on meeting earnings projections would be a factor decreasing the likelihood of earnings overstatements and assets (the most frequent misstatement). Having the board of directors make major financing decisions would decrease the incentive for management to use questionable reporting by reducing the amount of management's responsibility. Significant deficiencies previously communicated to management may not have been corrected because of an unfavorable cost-benefit relationship.
Required preliminary engagement activities include all of the following
The auditor should consider the factors that, in the auditor's professional judgment, are significant in directing the engagement team's efforts when establishing the overall audit strategy, rather than during the earlier preliminary stage. The other answer alternatives comprise all of the required preliminary engagement activities. Performing them at the beginning of the current audit engagement assists the auditor in identifying and evaluating events or circumstances that may adversely affect the auditor's ability to plan and perform the audit engagement. Their performance should enable the auditor to plan an engagement for which the auditor maintains the necessary independence and ability to perform the engagement; has no issues with management integrity; or has no misunderstanding with the entity about the terms of the engagement.
A retail entity uses electronic data interchange (EDI) in executing and recording most of its purchase transactions. The entity's auditor recognizes that the documentation of the transactions will be retained for only a short period of time. To compensate for this limitation, the auditor most likely would
The auditor should consider the time when information is available in determining the timing of tests. Increasing the extent of cut-off tests would provide additional information only about year-end transactions. The nature of the business may make a 100% count of inventory at year end impractical or insufficient. Increasing the assessed level of control risk for the existence / occurrence assertion because records are unavailable is unduly harsh, but decreasing it is unjustified.
An audit client failed to maintain copies of its procedures manuals and organizational flowcharts. What should the auditor do in an audit of financial statements?
The auditor should document key elements of the auditor's understanding of internal control regardless of the client's records. The client's failure to do so does not constitute a scope limitation; necessitate that the auditor assess control risk at the maximum level; nor restrict the auditor's responsibility to assess the effectiveness of controls.
Audit programs should be designed so that
The primary purpose of the audit is to provide users of the financial statements with an opinion. The objective of the auditor is to design and perform audit procedures that enable the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor's opinion. The design of the audit program has no effect on inherent risk. Procedures may be performed prior to the balance sheet date only if the effectiveness of interim work is not likely to be impaired. Suggestions to management are secondary considerations in an audit.
When performing analytical procedures in the planning stage,the auditor most likely would develop expectations by reviewing which of the following sources of information?
The purpose of analytics in the planning stage of the audit is to assist in planning the audit procedures that will be used to obtain audit evidence for specific account balances or classes of transactions. To accomplish this, one of the things the auditor should focus on is the transactions and events that have occurred since the last audit date. The unaudited information from internal quarterly reports would be the best source of information for developing expectations. Expectations, in this context, are the auditor's predictions of recorded accounts or ratios. The effectiveness of analytical procedures depends on developing expectations that can reasonably be expected to identify unexpected relationships. Account assertions in the planning memorandum would not provide the needed data to develop such expectations. The auditor is interested in transactions and events that have occurred since the last audit date, so comments in the prior year's management letter would have limited usefulness and, again, would probably not include data needed to derive expectations. Control risk affects the reliability of data and, thus, the precision of the expectation, but it would not be considered a source for developing expectations.
When obtaining an understanding of the entity and its environment, the auditor should obtain an understanding of the measurement and review of the entity's financial performance. In relation to this, the matter least likely to be considered is
The risk appetite of managers and stakeholders is an example of a matter the auditor may consider when obtaining an understanding about the entity's objectives and strategies and those related business risks that may result in risks of material misstatement; rather than a matter related to the measurement and review of the entity's financial performance. An understanding of the entity's performance measures assists the auditor in considering whether pressures to achieve performance targets may result in management actions that increase the risks of material misstatement, including those due to fraud.
What is a service auditor's responsibility, if any, with regard to other information presented in a document containing management's description of its system and the service auditor's report?
The service auditor should read other information, if any, included in a document containing management's description of the service organization's system and the service auditor's report to identify material inconsistencies. While reading if he became aware of an apparent misstatement of fact in the other information he should discuss the matter with management and take further appropriate action
Which of the following procedures would the auditor most likely perform to determine that an interest rate swap contract is properly stated at fair value on the client's balance sheet?
To audit fair value estimates (such as the stated fair value of interest rate swap contract) on the client's balance sheet for accuracy and reasonableness an auditor must do the following: Evaluate whether the method, assumptions, and data used in the fair value measurement of the interest rate swap contract are accurate and reasonable. Compare the fair value of the interest rate swap contract on the balance sheet with an independently developed fair value. Review subsequent events to determine if the fair value on the balance sheet was reasonable.
In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor most likely would
To obtain an understanding of a manufacturer's internal control concerning inventory balances, an auditor would review the entity's descriptions of inventory policies and procedures. Analyzing inventory ratios, performing cost variance analytical procedures, and performing inventory test counts are substantive procedures. (Editor note: The key word here is "understanding the entity and therefore of the four answer choices, reviewing policies and procedures would satisfy the objective. The other answer choices are testing procedures that would ascertain the risk assessment i.e. support the auditor's understanding in this area).
In obtaining an understanding of an entity's internal control, an auditor is required to obtain knowledge about the
Obtaining an understanding of internal control consists of evaluating the design and implementation of controls. This is not the same as testing the operating effectiveness of controls. The auditor only tests the operating effectiveness of controls when: (1) the auditor's risk assessment includes an expectation of the operating effectiveness of controls or (2) when it is not possible or practicable to reduce detection risk at the relevant assertion level to an acceptably low level with audit evidence obtained from substantive procedures alone.
Which of the following would provide an auditor of a nonissuer with the best evidence of fair value pertaining to a client's investments in derivative instruments that are listed on a national exchange and disclosed at fair value?
Fair Value Hierarchy is categorized into three levels: Level 1 inputs are quoted prices in active markets for identical assets or liabilities. Level 2 inputs include quoted prices for similar (not identical) assets or liabilities in active markets or quoted prices for identical or similar assets or liabilities in non-active markets. Level 3 are unobservable inputs for the asset or liability. These are most often used where there is little, if any, market activity for the asset or liability at the measurement date. To audit fair value estimates (such as derivative instruments) on the client's balance sheet for accuracy and reasonableness, an auditor must compare the fair value of the derivative instruments on the balance sheet with an independently developed fair value using the best evidence of fair value. Because the derivative instruments are listed on a national exchange, the best evidence for fair value is quoted market price (Level 1 input).
Which of the following tasks can be achieved using generalized audit software?
Generalized Audit Software Packages (GASPs) refer to a series of programs that allow the auditor to perform tests of controls and substantive tests directly on the client's system or duplicate the client's system for the auditor to perform a parallel simulation. GASPs may include programs to access client files for purposes of testing, e.g., analytical procedures may be performed on accounts receivable data like calculating ratios or filtering the data according to parameters set by the auditor.
Manual controls would most likely be more suitable than automated controls for which of the following?
Human involvement is more in case of manual controls. Manual controls are suitable for large, unusual, or non-recurring transactions so that personal attention can be given to each such transaction. As these transactions are of high value (e.g. purchase of a high-value equipment), proper authorization and justification is required for entering into these transactions, which is best served by manual rather than automated controls.
Which of the following factors would most likely be considered an inherent limitation to an entity's internal control?
Human judgment in the decision making process is considered an inherent limitation because mistakes may occur in the application of certain policies and procedures due to misunderstanding of instructions or personal carelessness. The complexity of the information processing system is not in itself an inherent limitation; it is the incorrect use of the complex system by humans that causes the majority of errors. The ineffectiveness of the board of directors and the lack of management incentives to improve the control environment are correctible weaknesses in internal control; they are not inherent.
Which of the following would an auditor ordinarily consider the greatest risk regarding an entity's use of electronic data interchange (EDI)?
Improper transactions or disclosure of transactions, regardless of the media, are usually the greatest risk. Appropriate authorization of EDI transactions doesn't present a risk. Duplication of EDI transactions likely would be found by one of the involved parties upon reconciliation. Elimination of paper documents is a goal of EDI.
Which of the following services would constitute a management function under Government Auditing Standards, and result in the impairment of a CPA's independence if performed by the CPA?
In general, any situation that requires the application of judgment to make a decision tends to impair independence. Developing client policies is listed as a general activity that impairs auditor independence. Providing or recommending methodologies or internal control procedures does not impair independence; client management still bears the burden of deciding to select and implement those methodologies or procedures. Providing accounting opinions to a legislative body or other group generally does not impair independence.
Which of the following qualitative factors would an auditor consider most relevant to the consideration of whether a discovered misstatement is material?
In general, misstatements, including omissions, are considered to be material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users that are taken based on the financial statements. The auditor will decide if a misstatement is material or immaterial using both qualitative and quantitative considerations. If a misstatement is above the set materiality threshold it is a material misstatement. However, certain misstatements such as instances of fraud and non-compliance, even though below the materiality threshold, would be a material misstatement qualitatively.
According to US GAAS, in general, misstatements in the financial statements, including omissions, are considered to be material when, individually or in the aggregate,
In general, misstatements, including omissions, are considered to be material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users that are taken based on the financial statements. The concept of materiality is applied by the auditor when both planning and performing the audit; and in evaluating the effect of identified misstatements on the audit and uncorrected misstatements, if any, on the financial statements. Judgments about materiality are made in light of surrounding circumstances and involve both qualitative and quantitative considerations. These judgments are affected by the auditor's perception of the financial information needs of users of the financial statements and by the size and/or nature of a misstatement.
Regarding a non-issuer's compliance with laws and regulations, an auditor performing an audit of the entity's financial statements is responsible for
In the absence of identified or suspected non-compliance, the auditor is not required to perform audit procedures regarding the entity's compliance with laws and regulations, But auditor should obtain a general understanding of the following: Legal & regulatory framework applicable to the entity and its industry or sector How the entity is complying with that framework
The overall audit strategy
The auditor should establish an overall audit strategy that sets the scope, timing, and direction of the audit and that guides the development of the audit plan.The detailed audit plan, not the overall audit strategy, includes a description of the nature and extent of planned risk assessment procedures.The auditor should update and change the overall audit strategy and audit plan, as necessary, during the course of the audit. As a result of unexpected events, changes in conditions, or the audit evidence obtained from the results of audit procedures, the auditor may need to modify the overall audit strategy and audit plan and, thereby, the resulting planned nature, timing, and extent of further audit procedures, based on the revised consideration of assessed risks.The overall audit strategy provides a basis for the detailed audit plan; not vice versa. Once the overall audit strategy has been established, an audit plan can be developed to address the various matters identified in the overall audit strategy, taking into account the need to achieve the audit objectives through the efficient use of the auditor's resources. That said, the establishment of the overall audit strategy and the detailed audit plan are not necessarily discrete or sequential processes but are closely interrelated because changes in one may result in consequential changes to the other.
When developing the audit strategy and audit plan for an issuer, the auditor should evaluate whether the following matters are important to the company's financial statements and internal control over financial reporting and, if so, how they will affect the auditor's procedures, except for
The auditor should evaluate legal or regulatory matters of which the company is aware; however, the response to the auditor's letter of inquiry to the client's lawyer would not be available in the planning stage; it should be dated as close as possible to the date of the audit report. Additional matters for evaluation during the planning stage are knowledge of the company's internal control over financial reporting obtained during other engagements performed by the auditor; matters affecting the industry in which the company operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes; the auditor's preliminary judgments about materiality, risk, and, in integrated audits, other factors relating to the determination of material weaknesses; control deficiencies previously communicated to the audit committee or management; the type and extent of available evidence related to the effectiveness of the company's internal control over financial reporting; preliminary judgments about the effectiveness of internal control over financial reporting; public information about the company relevant to the evaluation of the likelihood of material financial statement misstatements and the effectiveness of the company's internal control over financial reporting; and knowledge about risks related to the company evaluated as part of the auditor's client acceptance and retention evaluation.
An auditor should design the written audit plan (or program) so that
The auditor should prepare a written audit plan (or program). The audit plan should detail the nature, extent, and timing of the audit procedures that are necessary to accomplish the objectives of the audit. All material transactions* and all account balances are not required to be tested in all circumstances. Minimizing substantive tests prior to the balance sheet date is not required.
Which of the following events occurring in the year under audit would most likely indicate that internal controls utilized in previous years may be inadequate in the year under audit?
The chief financial officer's willingness to override the internal controls reveals a management philosophy that values meeting goals higher than working within established procedures. Little time would be saved by adhering to approval procedures at most entities, indicating, at best, poor organization regarding the transactions. Elimination of the internal audit function, in itself, doesn't indicate that controls are now inadequate, although this is a second-best answer. As the audit committee chair is unlikely to have been in a position to commit a disreputable act with regard to the entity under audit, the chair's resignation probably doesn't indicate personal misconduct. If an audit committee chair resigned in protest of entity misconduct, the chair likely would have informed the auditor directly of the reasons for the resignation. Check-run frequency rarely affects the quality of internal controls.
Mill Co. uses a batch processing method to process its sales transactions. Data on Mill's sales transaction tape are electronically sorted by customer number and are subjected to programmed edit checks in preparing its invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of this tape most likely would be a
The computer process has built-in edit checks to generate exceptions and control totals. Edit checks performed on batch processed data verify if each individual entry is appropriate and generates a list of rejected transactions for review by control clerk.
The element of the audit planning process most likely to be agreed upon with management before implementation of the audit strategy is the determination of the
The element of the audit planning process most likely to be agreed upon with the client before implementation of the audit strategy is the timing of inventory observation procedures to be performed. Evidence to be gathered to provide a sufficient basis for the auditor's opinion is solely a matter of auditor judgment. The procedures to be undertaken to discover litigation, claims, and assessments are determined by the auditor. Pending legal matters to be included in the inquiry of the client's attorney are more likely to be discussed after implementation of the audit strategy.
Services provided by a service organization are relevant to the audit of a user entity's financial statements when those services and the controls over them affect the user entity's information system, including related business processes, relevant to financial reporting. A user auditor should consider a service organization's services a part of an entity's information system if they affect any of the following except
US GAAS regarding service organizations do not apply to services that are limited to processing an entity's transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker. Nor do they apply to the audit of transactions arising from an entity that holds a proprietary financial interest in another entity, such as a partnership, corporation, or joint venture, when the partnership, corporation, or joint venture performs no processing on behalf of the entity. In addition to the other answer alternatives, a service organization's services are part of a user entity's information system, including related business processes, relevant to financial reporting if these services affect any of the following: (1) the related accounting records, supporting information, and specific accounts in the user entity's financial statements that are used to initiate, authorize, record, process, and report the user entity's transactions; this includes the correction of incorrect information and how information is transferred to the general ledger; the records may be in either manual or electronic form; (2) How the user entity's information system captures events and conditions, other than transactions, that are significant to the financial statements; and (3) controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments.
Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system?
When a client processes financial data in electronic form without paper documentation, the auditor may audit on a more continuous basis than a traditional system, as a convenience, and may be required to audit on a more continuous basis to obtain sufficient, competent evidence as documentation for some transactions may be available only for a limited time. An embedded audit module can facilitate this 'continuous' auditing. If anything, an auditor may rely less on internal control activities that emphasize the segregation of duties. Digital certificate verification and testing of firewall boundaries are more concerned with security than internal control.
