ACT 405 Exam #3
What are the three levels of absences of internal control? Give the definitions of each. Which is the most severe?
o *Control deficiency* - A control deficiency exists if the design and implementation or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis in the normal course of performing their assigned functions. A design deficiency exists if a necessary control is missing, is not properly designed, or is not properly implemented. An operation deficiency exists if a well-designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized. o *Significant deficiency* - A significant deficiency exists if one or more control deficiencies exist that are less severe than a material weakness (defined next), but are important enough to merit attention by those responsible for oversight of the company's financial reporting o *Material weakness* - A material weakness exists if a significant deficiency, by itself or in combination with other significant deficiencies, results in a reasonable possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis. To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along two dimensions: likelihood and significance. o Material weakness is the most severe
How does statistical sampling differ in determining the sample size?
the calculation of initial sample sizes developed from statistical probability distributions using tables or audit software
What are the COSO control activities? Explain each one.
*Adequate Documents and records* Documents and records should be: • Prenumbered consecutively to facilitate control over missing documents and records and as an aid in locating them when they are needed at a later date. Prenumbered documents and records are important for the completeness assertion. • Prepared at the time a transaction takes place, or as soon as possible thereafter, to minimize timing errors. • Designed for multiple use, when possible, to minimize the number of different forms. For example, a properly designed electronic shipping record can be the basis for releasing goods from storage to the shipping department, inform- ing billing of the quantity of goods to bill to the customer and the appropriate billing date, and updating the perpetual inventory records. • Constructed in a manner that encourages correct preparation. This can be done by providing internal checks within the form or record. For example, computer screen prompts may force online data entry of critical information before the record is electronically routed for authorizations and approvals. Similarly, screen controls can validate the information entered, such as when an invalid general ledger account number is automatically rejected because the account number does not match the chart of accounts master file. *Physical Control Over assets and records* To maintain adequate internal control, assets and records must be protected. If assets are left unprotected, they can be stolen. If records are not adequately protected, they can be stolen, damaged, altered, or lost, which can seriously disrupt the accounting process and business operations. When a company is highly computerized, its computer equipment, programs, and data files that represent the records of the company must be protected, given they could be costly or even impossible to reconstruct. *Independent Checks on performance* The need for independent checks arises because internal controls tend to change over time, unless there is frequent review. Personnel are likely to forget or intentionally fail to follow procedures, or they may become careless unless someone observes and evaluates their performance. Regardless of the quality of the controls, personnel can make errors or commit fraud. Personnel responsible for performing internal verification procedures must be independent of those originally responsible for preparing the data. *adequate Separation of Duties* Four general guidelines for adequate separation of duties to prevent both fraud and errors are especially significant for auditors. *proper authorization of transactions and activities* Every transaction must be properly authorized if controls are to be satisfactory. If any person in an organization could acquire or expend assets at will, complete chaos would result. Authorization can be either general or specific.
Which of the balance-related audit objectives is almost impossible for an auditor to uncover errors in Accounts Receivable?
*Completeness.* It is difficult for auditors to test for account balances omitted from the aged trial balance except by relying on the self-balancing nature of the accounts receivable master file. If all sales to a customer are omitted from the sales journal, the understatement of accounts receivable is almost impossible to uncover by tests of details of balances. In addition, unrecorded sales to a new customer are difficult to identify for confirmation because that customer is not included in the accounts receivable master file. The understatement of sales and accounts receivable is best uncovered by substantive tests of transactions for shipments made but not recorded (completeness objective for tests of sales transactions) and by substantive analytical procedures.
What is the most important test of details of balances for determining the existence of recorded accounts receivable?
*Confirmation of customers' balances* is the most important test of details of balances for determining the existence of recorded accounts receivable. When customers do not respond to confirmations, auditors also examine supporting documents to verify the shipment of goods and evidence of subsequent cash receipts to determine whether the accounts were collected. Normally, auditors do not examine shipping documents or evidence of subsequent cash receipts for any account in the sample that is confirmed, but they may use these documents extensively as alternative evidence for nonresponses
Fill in the following table:
*Type of Change* -----------------------------------------> *Effect on Sample Size* Increase in acceptable risk of overreliance (ARO) -----------------> Decrease Increase in tolerable exception rate (TER) ---------------------------> Decrease Increase in estimated population exception rate (EPER) ------------> Increase Increase in population size --------------------------------> increase (minor effect)
List some characteristics of fraud perpetrators.
LOOK AT FIGURE 10-3 Male, aged 35-45, worked at company from 6-10+ years, in finance, working in collusion with others, doesn't work as a senior manager or in management
What is the major difference between statistical and nonstatistical sampling?
Statistical sampling differs from nonstatistical sampling in that, by applying mathematical rules, auditors can quantify (measure) sampling risk in planning the sample (step 1) and in evaluating the results (step 3). *In nonstatistical sampling, auditors do not quantify sampling risk.* However, a properly designed nonstatistical sample that considers the same factors as a properly designed statistical sample can provide results that are as effective as a properly designed statistical sample.
During what time period are auditors required to review for subsequent events?
The auditor's responsibility for reviewing subsequent events is normally limited to the period beginning with the balance sheet date and ending with the date of the auditor's report. As a result, the subsequent events review should be completed near the end of the audit.
Why is cutoff one of the most important audit objectives for Accounts Receivable?
The cutoff objective is one of the most important in the cycle because *misstatements in cutoff can significantly affect current period income.* For example, the intentional or unintentional inclusion of several large, subsequent period sales in the current period — or the exclusion of several current period sales returns and allowances — can materially overstate net earnings. Cutoff misstatements can occur for sales, sales returns and allowances, and cash receipts. For each one, *auditors require a threefold approach to determine the reasonableness of cutoff*: 1. Decide on the appropriate criteria for cutoff. 2. Evaluate whether the client has established adequate procedures to ensure a reasonable cutoff. 3. Test whether the cutoff was correct.
The confirmation of accounts receivable primarily satisfies which three audit objectives?
The primary purpose of accounts receivable confirmation is to satisfy the *existence, accuracy*, and *cutoff* objectives.
Which roles are important to keep separated as it relates to sales transactions?
To prevent fraud, *management should deny cash access to anyone responsible for entering sales and cash receipts transaction* information into the computer. *The credit-granting function should be separated from the sales function*, because credit checks are intended to offset the natural tendency of sales personnel to optimize volume even at the expense of high bad debt write-offs. *Personnel responsible for doing internal comparisons should be independent of those entering the original data.* Adequate separation of duties • Cash and recordkeeping • Credit granting and sales Adequate doc and record
For the occurrence objective, the auditor is concerned about three types of misstatements. What are they?
• Sales included in the journals for which no shipment was made • Sales recorded more than once • Shipments made to nonexistent customers and recorded as sales
What are the three common authorizations for sales?
*Proper Authorization* 1. Credit must be properly authorized before a sale takes place. 2. Goods should be shipped only after proper authorization. 3. Prices, including basic terms, freight, and discounts, must be authorized.
There are three levels of likelihood of occurrence for contingent liabilities. What are they? How do they impact the financial statements?
*Remote (slight chance)* - No disclosure is necessary. *Reasonably possible (more than remote, but less than probable)* - Footnote disclosure is necessary. *Probable (likely to occur)* • If the amount can be reasonably estimated, financial statement accounts are adjusted. • If the amount cannot be reasonably estimated, footnote disclosure is necessary
What types of events would have an indirect effect on the financial statements? What should an auditor do with this information?
*Subsequent events of this type are events that provide evidence about conditions that did not exist at the date of the balance sheet being reported on but arose after the balance sheet date and may be significant enough to require disclosure.* Examples of these types of nonrecognized subsequent events include: *•* A decline in the market value of securities held for temporary investment or resale *•* The issuance of bonds or equity securities *•* A decline in the market value of inventory as a consequence of government action barring further sale of a product *•* The uninsured loss of inventories as a result of fire *•* A merger or an acquisition Nonrecognized subsequent events may require disclosure if they are significant and if the financial statements would be misleading without the disclosure. Ordinarily these events can be adequately disclosed by the use of footnotes. Occasionally, an event may be so significant as to require disclosure in supplemental financial statements, which include the effect of the event as if it had occurred on the balance sheet date. An example is an extremely material merger. Auditors of accelerated filer public companies may also identify events related to internal control over financial reporting that arose subsequent to year-end. If the auditor determines that these subsequent events have a material effect on the company's internal control over financial reporting, the auditor's report must include an explanatory paragraph either describing the event and its effect or directing the reader to a disclosure in management's report on internal control of the event and its effect.
What is the purpose of substantive tests of transactions?
*The substantive tests of transactions are related to the transaction related objective and are designed to determine whether any monetary misstatements for that objective exist in the transaction.* Auditing standards indicate that if the auditor identifies a significant risk at the assertion level, the auditor should perform substantive procedures that are responsive to that risk. If the approach to a significant risk consists only of substantive procedures, the procedures should include tests of details. As a result, to address the presumption of a fraud risk over revenue recognition, many auditors perform substantive tests of transactions to test recorded revenue transactions. Many auditors also perform substantive analytical procedures to test the reasonableness of recorded revenue.
What is the Tolerable Exception Rate (TER)? How is it determined?
*Tolerable exception rate (TER)* - Exception rate that the auditor will permit in the population and still be willing to conclude the control is operating effectively and/or the amount of monetary misstatements in the transactions established during planning is acceptable. *When determining TER, the auditor considers the degree of reliance to be placed on the control and the significance of the control to the audit*. If only one internal control is used to support a low control risk assessment for an objective, TER will be lower for the attribute than if multiple controls are used to support a low control risk assessment for the same objective. Control deviations increase the risk of material misstatements in the accounting records, but do not necessarily result in misstatements. For example, a disbursement that does not have evidence of proper approval may have been properly authorized and recorded. For this reason, the tolerable rate of deviation for tests of controls is normally higher than the comparable tolerable rate of exception for monetary misstatements.
In nonstatistical sampling, how can the auditor evaluate sampling risk?
*When nonstatistical sampling is used, sampling risk cannot be directly measured.* One way to evaluate sampling risk is to *subtract the sample exception rate from the tolerable exception rate to find the calculated allowance for sampling risk* (TER - SER), and evaluate whether it is sufficiently large to conclude that the true population exception rate is acceptable.
What are the three probabilistic sample selection methods? Briefly explain each of the methods.
1. *Simple random sample selection* - In a simple random sample, every possible combination of population items has an equal chance of being included in the sample. Auditors use simple random sampling to sample populations when there is no need to emphasize one or more types of population items. 2. *Systematic sample selection* - In systematic sample selection (also called systematic sampling), the auditor calculates an interval and then selects the items for the sample based on the size of the interval. The interval is determined by dividing the population size by the desired sample size. 3. *Probability proportional to size sample selection* - In many auditing situations, it is advantageous to select samples that emphasize population items with larger recorded amounts. There are two ways to obtain such samples: *1.* Take a sample in which the probability of selecting any individual population item is proportional to its recorded amount. This method is called sampling with *probability proportional to size* (PPS), and it is evaluated using nonstatistical sampling or monetary unit statistical sampling. *2*. Divide the population into subpopulations, usually by dollar size, and take larger samples from the subpopulations with larger sizes. This is called *stratified sampling*, and it is evaluated using nonstatistical sampling or variables statistical sampling.
What are the three purposes of a management representation letter?
1. *To impress upon management its responsibility for the assertions in the financial statements.* It is easy for management to forget that they are responsible, not the auditor, for the fair presentation of financial statements, especially in smaller companies that lack personnel with expertise in accounting. 2.* To remind management of potential misstatements or omissions in the financial statements.* For example, if the letter of representation includes a reference to pledged assets and contingent liabilities, honest management may be reminded of its unintentional failure to disclose the information adequately, which helps satisfy the completeness presentation and disclosure objective. To fulfill this objective, the letter of representation should be sufficiently detailed to act as a reminder to management. 3.* To document the responses from management to inquiries about various aspects of the audit.* This provides written documentation of client representations in the event of disagreement or a lawsuit between the auditor and client. A letter of representation also helps reduce misunderstandings between management and the auditor
What are the two nonprobabilistic sample selection methods? Briefly explain each of the methods.
1.* Haphazard sample selection* - Haphazard sample selection is the selection of items without any conscious bias by the auditor. In such cases, the auditor selects population items without regard to their size, source, or other distinguishing characteristics. The most serious shortcoming of haphazard sample selection is the difficulty of remaining completely unbiased in the selection. Because of the auditor's training and unintentional bias, certain population items are more likely than others to be included in the sample. 2. *Block sample selection* - In block sample selection auditors select the first item in a block, and the remainder of the block is chosen in sequence. For example, assume the block sample will be a sequence of 100 sales transactions from the sales journal for the third week of March. Auditors can select the total sample of 100 by taking 5 blocks of 20 items, 10 blocks of 10, 50 blocks of 2, or one block of 100. It is ordinarily acceptable to use block samples only if a reasonable number of blocks is used. If few blocks are used, the probability of obtaining a nonrepresentative sample is too great, considering the possibility of employee turnover, changes in the accounting system, and the seasonal nature of many businesses. For example, in the previous example, sampling 10 blocks of 10 from the third week of March is far less appropriate than selecting 10 blocks of 10 from 10 different months.
What is a contingent liability? What three conditions are required for one to exist? Give an example of a contingent liability.
A contingent liability is a potential future obligation to an outside party for an unknown amount resulting from activities that have already taken place. Material contingent liabilities must be disclosed in the footnotes. *Three conditions are required for a contingent liability to exist* 1. There is a potential future payment to an outside party or the impairment of an asset that resulted from an existing condition 2. There is uncertainty about the amount of the future payment or impairment 3. The outcome will be resolved by some future event or events For example, a lawsuit that has been filed but not yet resolved meets all three conditions
A lower assessed level of control risk will result in ?????? testing of controls to support the lower control risk, with a corresponding ?????? in detection risk and ?????? in the amount of substantive tests.
A lower assessed level of control risk will result in INCREASED testing of controls to support the lower control risk, with a corresponding INCREASE in detection risk and DECREASE in the amount of substantive tests.
What is a negative confirmation?
A negative confirmation is also addressed to the debtor but requests a response only when the debtor disagrees with the stated amount.
What is positive confirmation?
A positive confirmation is a communication addressed to the debtor requesting the recipient to confirm directly whether the balance as stated on the confirmation request is correct or incorrect.
Which type of confirmation is more reliable and why?
A positive confirmation is more reliable evidence because the auditor can perform follow-up procedures if a response is not received from the debtor. With a negative confirmation, failure to reply must be regarded as a correct response, even though the debtor may have ignored the confirmation request.
What are internal controls?
A system of internal control consists of policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals. These policies and procedures are often called controls, and collectively, they make up the entity's internal control.
What is the Acceptable Risk of Overreliance (ARO)?
Acceptable risk of overreliance (ARO) - The risk that the auditor is willing to take of accepting a control as effective or a rate of monetary misstatements as tolerable, when the true population exception rate is greater than the tolerable exception rate
Auditing standards require the auditor to evaluate whether there is a substantial doubt about a client's ability to continue as a going concern until when?
Auditing standards require the auditor to evaluate whether there is a substantial doubt about a client's ability to continue as a going concern for *at least one year beyond the balance sheet date*. Auditors make that assessment initially as a part of planning but may revise it after obtaining new information.
What are the auditor's responsibilities for internal controls?
Auditing standards require the auditor to obtain an understanding of internal control relevant to the audit on every audit engagement. Auditors are primarily concerned about controls over the reliability of financial reporting and controls over classes of transactions. • *Controls Over the reliability of Financial reporting*: Auditors focus primarily on controls related to the first of management's internal control concerns: reliability of financial reporting. Financial statements are not likely to correctly reflect GAAP or IFRS if internal controls over financial reporting are inadequate. Auditors should not ignore controls affecting internal management information, such as budgets and internal performance reports. These types of information are often important sources used by management to run the business and can be important sources of evidence that help the auditor decide whether the financial statements are fairly presented. • *Controls Over Classes of transactions*: Auditors emphasize internal control over classes of transactions rather than account balances because the accuracy of accounting system outputs (account balances) depends heavily on the accuracy of inputs and processing (transactions). Because of the emphasis on classes of transactions, auditors are primarily concerned with the transaction-related audit objectives when assessing internal controls over financial reporting. Section 404(b) of the Sarbanes-Oxley Act requires that the auditor report on the effectiveness of internal control over financial reporting. To express an opinion on these controls, the auditor obtains an understanding of and performs tests of controls for all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements. Auditors of larger public companies are required by the SEC to annually issue an audit report on the operating effectiveness of IC
What are the three major types of exceptions auditors are concerned with during testing?
Auditors are interested in the following types of exceptions in populations of accounting data: 1. Deviations from the client's established controls 2. Monetary misstatements in populations of transaction data 3. Monetary misstatements in populations of account balance details
What are two major issues auditors face when auditing the Allowance for Uncollectible Accounts?
Auditors face two shortcomings in evaluating the allowance by reviewing individual noncurrent balances on the aged trial balance.: *First*, the current accounts are ignored in establishing the adequacy of the allowance, even though some of these amounts will undoubtedly become uncollectible. *Second,* it is difficult to compare the results of the current year with those of previous years on such an unstructured basis. If the accounts are becoming progressively uncollectible over several years, this fact can be overlooked. To avoid these two shortcomings, clients can establish a history of bad debt write-offs over a period of time as a frame of reference for evaluating the current year's allowance.
Auditors need to understand the difference between tracing from source documents to the journals and vouching from the journals back to source documents. The former tests for omitted transactions (????? objective); the latter tests for nonexistent transactions (?????? objective).
Auditors need to understand the difference between tracing from source documents to the journals and vouching from the journals back to source documents. The former tests for omitted transactions (*COMPLETENESS* objective); the latter tests for nonexistent transactions (*OCCURRENCE* objective). Directionality of testing: • *Occurrence (vouching)* starts by selecting a sample of invoice numbers from the journal and vouches them to duplicate sales invoices, shipping docs, and customer orders • *Completeness (tracing)* starts by selecting a sample of shipping docs and traces them to dup. sales invoices and the sales invoices and the sales journal as a test of omissions
What is a management letter? Why is it used?
Auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements. These should also be communicated to the client. The form of communication is often a separate letter for that purpose, called a management letter. Although management letters are not required by auditing standards, auditors generally prepare them as a value-added service of the audit
What is the Estimated population exception rate (EPER)? How is it determined?
Auditors should make an advance estimate of the population exception rate to plan the appropriate sample size. If the *estimated population exception rate (EPER)* is low, a relatively small sample size will satisfy the auditor's tolerable exception rate, because a less precise estimate is required. *Auditors often use the preceding year's audit results to estimate EPER. If prior-year results are not available, or if they are considered unreliable, the auditor can take a small preliminary sample of the current year's population for this purpose.* It is not critical that the estimate be precise because the current year's sample exception rate is ultimately used to estimate the population characteristics. If a preliminary sample is used, it can be included in the total sample, as long as appropriate sample selection procedures are followed.
What is the impact of fraud in Accounts Payable? Give an example of Accounts Payable fraud.
Cases of fraudulent financial reporting involving accounts payable are relatively common although less frequent than frauds involving inventory or accounts receivable. *The deliberate understatement of accounts payable generally results in an understatement of purchases and cost of goods sold and an overstatement of net income*. Significant misappropriations involving purchases can also occur in the form of payments to fictitious vendors, as well as kickbacks and other illegal arrangements with suppliers *•* Companies may engage in deliberate attempts to understate accounts payable and overstate income. This can be accomplished by not recording accounts payable until the subsequent period or by recording fictitious reductions to accounts payable. All purchases received before the end of the year should be recorded as liabilities. *o* This is relatively easy to verify if the company accounts for prenumbered receiving reports. However, if the receiving reports are not prenumbered or the company deliberately omits receiving reports from the accounting records, it may be difficult for the auditor to verify whether all liabilities have been recorded. In such cases, analytical evidence, such as unusual changes in ratios, may signal that accounts payable are understated
What are the four types of procedures auditors perform as tests of controls?
Check if right o *Make inquiries of appropriate client personnel* - Although inquiry is not a highly reliable source of evidence about the effective operation of controls, it is still appropriate. For example, to determine that unauthorized personnel are denied access to computer files, the auditor may make inquiries of the person who controls the computer library and of the person who controls online-access security- password assignments. o *Examine documents, records, and reports* - Many controls leave a clear trail of documentary evidence (both electronic and paper) that can be used to test controls. Suppose, for example, that when a customer order is received, it is used to create a customer sales order, which is approved for credit. Then the customer order is attached to the sales order as authorization for further processing. The auditor can test the control by examining the documents to make sure that they are complete and properly matched and that required signatures or initials are present. o *Observe control-related activities* - Some controls do not leave an evidence trail, which means that it is not possible at a later date to examine evidence that the control was executed. For example, separation of duties relies on specific persons performing specific tasks, and there is typically no documentation of the separate performance. For controls that leave no documentary evidence, the auditor generally observes them being applied at various points during the year. o *Reperform client procedures* - There are also control-related activities for which there are related documents and records, but their content is insufficient for the auditor's purpose of assessing whether controls are operating effectively. For example, assume that prices on sales invoices are obtained from the master price list, but no indication of the control is documented on the sales invoices. In these cases, it is common for the auditor to reperform the control activity to see whether the proper results were obtained. For this example, the auditor can reperform the procedure by tracing the sales prices to the authorized price list in effect at the date of the transaction. If no misstatements are found, the auditor can conclude that the procedure is operating as intended.
What is a commitment?
Closely related to contingent liabilities are commitments. They include such things as agreements to purchase raw materials or to lease facilities at a certain price and to sell merchandise at a fixed price, as well as bonus plans, profit-sharing and pension plans, and royalty agreements. *The most important characteristic of a commitment is the agreement to commit the firm to a set of fixed conditions in the future*, regardless of what happens to profits or the economy as a whole. Presumably the entity agrees to commitments to better its own interests, but they may turn out to be less or more advantageous than originally anticipated. Companies ordinarily describe all commitments either in a separate footnote or combine them with a footnote related to contingencies.
What are the five control activity types?
Control activities are the policies and procedures, in addition to those included in the other four control components that help ensure that necessary actions are taken to address risks to the achievement of the entity's objectives. • Adequate separation of duties (ARC-IT) • Proper authorization of transactions and activities • Adequate documents and records • Physical control over assets and records • Independent checks on performance
What are the four principles for documents and records?
Documents and records should be: • *Prenumbered consecutively* to facilitate control over missing documents and records and as an aid in locating them when they are needed at a later date. Prenumbered documents and records are important for the completeness assertion. • *Prepared at the time a transaction takes place*, or as soon as possible thereafter, to minimize timing errors. • *Designed for multiple use*, when possible, to minimize the number of different forms. For example, a properly designed electronic shipping record can be the basis for releasing goods from storage to the shipping department, inform- ing billing of the quantity of goods to bill to the customer and the appropriate billing date, and updating the perpetual inventory records. • *Constructed in a manner that encourages correct preparation*. This can be done by providing internal checks within the form or record. For example, computer screen prompts may force online data entry of critical information before the record is electronically routed for authorizations and approvals. Similarly, screen controls can validate the information entered, such as when an invalid general ledger account number is automatically rejected because the account number does not match the chart of accounts master file.
How is ARO typically measured when an auditor uses nonstatistical sampling? What about when the auditor uses statistical sampling?
For *nonstatistical sampling*, it is common for auditors to use ARO of high, medium, or low instead of a percentage. For *statistical sampling*, it is common for auditors to use a percent, such as 5% or 10%. *A low ARO implies that the tests of controls are important and will correspond to a low assessed control risk and reduced substantive tests of details of balances.* As summarized in Figure 15-2, ARO for the audit of the billing function at Hillsburg Hardware Co. is assessed as low for all attributes, because it is an accelerated filer public company and the auditor's tests of controls must provide a basis for the opinion on internal control over financial reporting. As a result, the auditor requires a low risk of overrelying on controls. Stated another way, the auditor needs greater assurance and therefore a larger sample size to support the lower risk of overreliance.
How are most frauds detected? What percentage of frauds are detected by external audits?
Frauds are often detected through the receipt of an anonymous tip, by management review, by internal audit, or by accident. External auditors detect a relatively small percentage of frauds, but are more likely to detect fraud when it materially impacts the financial statements. About 3-4% of frauds are detected by external audits.
What is a walkthrough?
In a walkthrough, the auditor selects one or a few documents of a transaction type and traces them from initiation through the entire accounting process. At each stage of processing, the auditor makes inquiries, observes activities, and examines completed documents and records. Walkthroughs conveniently combine observation, inspection, and inquiry to assure that the controls designed by management have been implemented
Why is the completeness objective less commonly tested in sales?
In many audits, no substantive tests of transactions are done for the completeness objective. This is because overstatements of assets and income from sales transactions are more likely than understatements, and overstatements also represent a greater source of audit risk. As a result, auditors often rely on substantive analytical procedures to test the completeness of revenue. If controls are inadequate, which is likely if the client does no independent internal tracing from shipping documents to the sales journal, substantive tests are likely necessary.
What is the purpose of contacting the client's attorneys?
Inquiry of the client's attorneys is a major procedure auditors rely on for evaluating known litigation or other claims against the client and identifying additional ones. The auditor relies on the attorney's expertise and knowledge of the client's legal affairs to provide a professional opinion about the expected outcome of existing lawsuits and the likely amount of the liability, including court costs. The attorney is also likely to know of pending litigation and claims that management may have overlooked. Many CPA firms analyze legal expense for the entire year and have the client send a standard inquiry letter to every attorney the client has been involved with in the cur- rent or preceding year, plus any attorney the firm occasionally engages. In some cases, this involves a large number of attorneys, including some who deal in aspects of law that are far removed from potential lawsuits. The standard inquiry to the client's attorney, prepared on the client's letterhead and signed by one of the company's officials, should include the following: *•* A list including (1) pending threatened litigation and (2) asserted or unasserted claims or assessments with which the attorney has had significant involvement. This list is typically prepared by management, but management may request that the attorney pre- pare the list. *•* A request that the attorney furnish information or comment about the progress of each item listed. The desired information includes the legal action the client intends to take, the likelihood of an unfavorable outcome, and an estimate of the amount or range of the potential loss. *•* A request of the law firm to identify any unlisted pending or threatened legal actions or a statement that the client's list is complete. *•* A statement informing the attorney of the attorney's responsibility to inform management of legal matters requiring disclosure in the financial statements and to respond directly to the auditor. If the attorney chooses to limit a response, reasons for doing so are to be included in the letter.
Why is there a risk of fraud with inventory? Give an example of inventory fraud.
Inventory is often the largest account on many companies' balance sheets, and auditors often find it difficult to verify the existence and valuation of inventories. As a result, inventory is susceptible to manipulation by managers who want to achieve certain financial reporting objectives. Because it is also usually readily saleable, inventory is also susceptible to misappropriation. While auditors are required to verify the existence of physical inventories, audit testing is done on a sample basis, and not all locations with inventory are typically tested. In some cases involving fictitious inventories, auditors informed the client in advance which inventory locations were to be tested. As a result, it was relatively easy for the client to transfer inventories to the locations being tested.
What is lapping of accounts receivable?
Lapping of accounts receivable is the postponement of entries for the collection of receivables to conceal an existing cash shortage. The embezzlement is perpetrated by a person who handles cash receipts and then enters them into the computer system. He or she defers recording the cash receipts from one customer and covers the shortages with receipts of another. These in turn are covered from the receipts of a third customer a few days later. The employee must continue to cover the shortage through repeated lapping, replace the stolen money, or find another way to conceal the shortage.
What are management's responsibilities for internal controls?
Management objective in designing internal controls: • *Reliability of reporting* - This objective relates to internal and external financial reporting as well as nonfinancial reporting; however, in this chapter we focus our initial audit planning discussion on the reliability of external financial reporting. Management is responsible for preparing financial statements for investors, creditors, and other users. Management has both a legal and professional responsibility to be sure that the information is fairly presented in accordance with reporting requirements of accounting frameworks such as U.S. GAAP and IFRS. The objective of effective internal control over financial reporting is to fulfill these financial reporting responsibilities. • *Efficiency and effectiveness* - Controls within a company encourage efficient and effective use of its resources to optimize the company's goals. An important objective of these controls is accurate financial and nonfinancial information about the company's operations for decision making. • *Compliance with laws and regulations* - Section 404 requires management of all public companies to issue a report about the operating effectiveness of internal control over financial reporting. In addition to the legal provisions of Section 404, public, nonpublic, and not-for-profit organizations are required to follow many laws and regulations. Some relate to accounting only indirectly, such as environmental protection and civil rights laws. Others are closely related to accounting, such as income tax regulations and antifraud legal provisions.
What method can auditors use to assess control risk?
Many auditors use a *control risk matrix* to assist in the control risk assessment process at the transaction level. The purpose is to provide a convenient way to organize assessing control risk for each audit objective. The control risk matrix can include both manual and automated application controls.
What is nonsampling risk? What are the two causes of nonsampling risk?
Nonsampling risk is the risk that the auditor reaches an incorrect conclusion for any reason not related to sampling risk. The two causes of nonsampling risk are the *auditor's failure to recognize exceptions* and *inappropriate or ineffective audit procedures.*
Why might an auditor dual date an audit report?
Occasionally, the auditor determines that a *subsequent event that affects the current period financial statements occurred after the date of the audit report but before the audit report was issued.* The source of such information is typically management or the media. For example, what if an audit client acquired another company after the auditor had gathered sufficient appropriate evidence to support the audit opinion? In that situation, auditing standards require the auditor to extend audit tests for the newly discovered subsequent event to make sure that it is correctly disclosed. The auditor has two equally acceptable options for expanding subsequent events tests: 1. Expand all subsequent events tests to the new date 2. Restrict the subsequent events review to matters related to the new subsequent event *For the first option*, auditors simply change the audit report date to the new date. *For the second option*, the auditor issues a dual-dated audit report, meaning that the audit report includes two dates: the first date for the completion of audit testing, except for the specific exception, and the second date, which is always later, for the exception.
Which type of confirmation is more costly and why?
Offsetting the reliability disadvantage, negative confirmations are less expensive to send than positive confirmations, and thus more can be distributed for the same total cost. Negative confirmations cost less because there are no second requests and no follow-up of nonresponses.
What is sampling risk? How can auditors reduce sampling risk?
Sampling risk is the* risk that an auditor reaches an incorrect conclusion because the sample is not representative of the population.* Sampling risk is an inherent part of sampling that results from testing less than the entire population. *Auditors have two ways to control sampling risk:* 1. Adjust sample size 2. Use an appropriate method of selecting sample items from the population Increasing sample size reduces sampling risk, and vice versa. At one extreme, a sample of all the items of a population has a zero sampling risk. At the other extreme, a sample of one or two items has an extremely high sampling risk. Using an appropriate sample selection method increases the likelihood of representativeness. This does not eliminate or even reduce sampling risk, but it does allow the auditor to measure the risk associated with a given sample size if statistical methods of sample selection and evaluation are used.
What are the requirement for management's section 404 report?
Section 404(a) of the Sarbanes-Oxley Act requires management of all public companies to issue an internal control report that includes the following: • A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting • An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company's fiscal year. Management must also identify the framework used to evaluate the effectiveness of IC, usually COSO
What does it mean by those that have a direct effect on the financial statements? What should an auditor do with this information?
Some events that occur after the balance sheet date provide additional information to management that helps them determine the fair presentation of account balances as of the balance sheet date. Information about those events helps auditors in verifying the balances. *For example, if the auditor is having difficulty determining the correct valuation of inventory because of obsolescence, the sale of raw material inventory as scrap in the subsequent period will indicate the correct value of the inventory as of the balance sheet date.* *Subsequent period events, such as the following, require an adjustment of account balances in the current year's financial statements* if the amounts are material: *•* Declaration of bankruptcy by a customer with an outstanding accounts receivable balance because of the customer's deteriorating financial condition *•* Settlement of litigation at an amount different from the amount recorded on the books *•* Disposal of equipment not being used in operations at a price below the current book value When subsequent events are used to evaluate the amounts included in the year end financial statements, auditors must distinguish between conditions that existed at the balance sheet date and those that came into being after the end of the year. The subsequent information should not be incorporated directly into the statements if the conditions causing the change in valuation took place after year-end. For example, assume one type of a client's inventory suddenly becomes obsolete because of a technology change after the balance sheet date. The sale of the inventory at a loss in the subsequent period is not relevant in the valuation of inventory for obsolescence in this case. Auditors of accelerated filer public companies must inquire about and consider any information about subsequent events that materially affects the effectiveness of internal control over financial reporting as of the end of the fiscal period. If auditors conclude that the events reflect a material weakness that existed at year-end, they must give an adverse opinion on internal control over financial reporting. If they are unable to determine the effect of the subsequent event on the effectiveness of internal control, they must disclaim their opinion on internal control.
For large samples, what are the three factors that affect sample size?
TER, ARO, and EPER.
When does the auditor need to communicate with those charged with governance regarding internal controls?
The auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as the auditor becomes aware of their existence. The communication is usually addressed to the audit committee and to management. Timely communications may provide management an opportunity to address control deficiencies before management's report on internal control must be issued. In some instances, deficiencies can be corrected sufficiently early such that both management and the auditor can conclude that controls are operating effectively as of the balance sheet date. Regardless, these communications must be made no later than 60 days following the audit report release.
Why is it important for an auditor to maintain control of the confirmation process?
The auditor should perform procedures to verify the addresses or email addresses used for confirmation. For example, auditors should consider performing additional procedures when the address is a post office box or when an email address is inconsistent with the customer's Web site address. For confirmations sent by mail, the auditor must maintain control of the confirmations until they are returned from the customer. The client may assist with preparing the confirmations, but the auditor must be responsible for mailing the confirmation outside the client's office. A return address must be included on all envelopes to make sure that undelivered mail is received by the CPA firm. Similarly, self-addressed return envelopes accompanying the confirmations must be addressed for delivery to the CPA firm's office. *These procedures are designed to ensure that responses will be received directly by the auditor.*
How does statistical sampling differ in determining the acceptability of the population?
The calculation of estimated upper exception rates using audit software or tables similar to those for calculating sample sizes.
Negative confirmations are allowed only when all four of these circumstances are present:
The determination of which type of confirmation to use is an auditor's decision, and it should be based on the facts in the audit. Auditing standards state that it is acceptable to use negative confirmations as the sole substantive audit procedure to address an assessed risk of material misstatement at the assertion level only when all of the following circumstances are present: *1. *The auditor has assessed the risk of material misstatement as low and has obtained sufficient appropriate evidence regarding the design and operating effectiveness of controls relevant to the assertion being tested by the confirmation procedure. *2.* The population of items subject to negative confirmation procedures is made up of a large number of small, homogenous account balances, transactions, or other items. *3.* The auditor expects a low exception rate. *4.* The auditor reasonably believes that recipients of negative confirmation requests will give the requests adequate consideration. For example, if the response rate to positive confirmations in prior years was extremely high or if there are high response rates on audits of similar clients, it is likely that recipients will give negative confirmations reasonable consideration as well.
What is the sample exception rate (SER)? How is it calculated?
The sample exception rate (SER) can be easily calculated from the actual sample results. *SER equals the actual number of exceptions divided by the actual sample size*. (Figure 15-3) In this example, the auditor found zero exceptions for attribute 1 and two exceptions for attribute 2, making the SER 0 percent (0 ÷ 75) for attribute 1, and 2 percent for attribute 2 (2 ÷ 100).
What is the purpose of a review for subsequent events?
The third part of completing the audit is the review for subsequent events. The auditor must review transactions and events that occurred after the balance sheet date to determine whether any of these transactions or events affect the fair presentation or disclosure of the current period statements. The auditing procedures required by auditing standards to verify these transactions and events are commonly called the review for subsequent events or post-balance-sheet review.
What are the three situations in which confirmation of accounts receivable may not be appropriate?
U.S. auditing standards indicate that auditors should use external confirmations for accounts receivable. Confirmation may not be appropriate in the following circumstances: 1. *The overall accounts receivable balance is immaterial*. Some clients, such as fast-food restaurants, may generate sales mostly on a cash basis, resulting in a negligible accounts receivable balance. 2. *The auditor considers confirmations ineffective evidence because response rates will likely be inadequate or unreliable*. In certain industries, such as hospitals, response rates to confirmations are very low. 3. *The auditor's assessed level of the risk of material misstatement (represented by the combined level of inherent risk and control risk) is low and other substantive evidence can be accumulated to provide sufficient evidence*. If a client has effective internal controls and low inherent risk for the sales and collection cycle, the auditor should often be able to satisfy the evidence requirements by tests of controls, substantive tests of transactions, and substantive analytical procedures.
Underreliance affects the ______________ of the audit. Overreliance on a control impacts the ___________________ of the audit.
Underreliance affects the *efficiency* of the audit. The incorrect conclusion that a control is ineffective may lead to an unnecessary increase in assessed control risk and substantive tests. In contrast, overreliance on a control impacts the *effectiveness* of the audit, because reliance on an ineffective control leads to an inappropriate reduction in substantive tests.
How does the auditor determine if the population is not acceptable?
When generalizing from the sample to the population, *if the sample exception rate is less than the expected rate used in planning the sample,* the auditor will conclude that the control being tested can be used to reduce assessed control risk as planned, assuming a careful analysis of the exceptions does not indicate the possibility of other significant problems with internal controls. If the calculated allowance for sampling is too low (TER - SER)
What are auditors required to do when there are nonresponses to positive confirmations? What are some examples?
When positive confirmations are used, auditing standards require follow-up procedures for confirmations not returned by the customer. It is common to send second and sometimes even third requests for confirmations. Even with these efforts, some customers do not return the confirmation, so it is necessary to follow up with alternative procedures. The objective of alternative procedures is to determine by a means other than confirmation whether the nonconfirmed account existed and was properly stated at the confirmation date. For any positive confirmation not returned, auditors can examine the following documentation to verify the existence and accuracy of individual sales transactions making up the ending balance in accounts receivable: *•Subsequent cash receipts* *•Duplicate sales invoice* *•Shipping documents* *•Correspondence with the client*
What is a representative sample? How can auditors increase the likelihood that the sample is representative?
When selecting a sample from a population, the auditor strives to obtain a representative sample. *A representative sample is one in which the characteristics in the sample are approximately the same as those of the population. This means that the sampled items are similar to the items not sampled * In practice, auditors never know whether a sample is representative, even after all testing is complete. (The only way to know if a sample is representative is to subsequently audit the entire population.) However, *auditors can increase the likelihood of a sample being representative by using care in designing the sampling process, sample selection, and evaluation of sample results.* A sample result can lead to an incorrect conclusion due to sampling error or nonsampling error. The risk of these two types of errors occurring is called sampling risk and nonsampling risk.
What are the five major components of internal control?
• *Control environment* - consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity o Integrity and ethical values o Board of Directors or audit committee participation o Organizational structure o Commitment to competence o Accountability • *Risk assessment* - involves a process for identifying and analyzing risks that may prevent the organization from achieving its objectives o Clear objectives in order to be able to identify and assess the risks relating to those objectives o Determine how the risks should be managed o Consider the potential for fraudulent behavior o Monitor changes that could impact internal controls. *Control activities* - Policies and procedures that management has established to meet its objectives for financial reporting • Develop control activities that mitigate risks to an acceptable level • Develop general controls over technology • Establish appropriate policies, procedures, and expectations *Information and communication* - purpose is to initiate, record, process, and report the entity's transactions and to maintain accountability for the related assets • Use relevant, quality information to support the functioning of internal controls • Communicate information internally, including objectives and responsibilities for internal control • Communicate with external parties relevant information related to internal controls *Monitoring* - deal with ongoing or periodic assessment of the quality of internal control by management to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions • Perform periodic evaluations • Communicate identified deficiencies to those who can remediate
What are two ways that cash can be stolen involving revenue (misappropriation of receipts)? Give examples of each.
• *Failure to Record a Sale* - One of the most difficult frauds to detect is when a sale is not recorded and the cash from the sale is stolen. Such frauds are easier to detect when goods are shipped on credit to customers. Tracing shipping documents to sales entries in the sales journal and accounting for all shipping documents can be used to verify that all sales have been recorded. o It is much more difficult to verify that all cash sales have been recorded, especially if no shipping documents exist to verify the completeness of sales, and no customer account receivable records support the sale. In such cases, other documentary evidence is necessary to verify that all sales are recorded. For example, a retail establishment may require that all sales be recorded on a cash register. Recorded sales can then be compared to the total amount of sales on the cash register tape. If the sale is not included in the cash register, it is almost impossible to detect the fraud. • *Theft of Cash Receipts After a Sale Is Recorded* - It is much more difficult to hide the theft of cash receipts after a sale is recorded. If a customer's payment is stolen, regular billing of unpaid accounts will quickly uncover the fraud. As a result, to hide the theft, the fraud perpetrator must reduce the customer's account in one of three ways: o 1. Record a sales return or allowance o 2. Write off the customer's account o 3. Apply the payment from another customer to the customer's account, which is also known as lapping
What are the three types of revenue manipulations? Give examples of each.
• *Fictitious revenues* o The most egregious forms of revenue fraud involve creating fictitious revenues. You may be aware of several recent cases involving fictitious revenues, but this type of fraud is not new. The 1931 Ultramares case described in Chapter 5 (p. 122) involved fictitious revenue entries in the general ledger. Fraud perpetrators often go to great lengths to support fictitious revenue. Fraudulent activity at Equity Funding Corp. of America, which involved issuing fictitious insurance policies, lasted nearly a decade (from 1964 to 1973) and involved dozens of company employees. The perpetrators held file-stuffing parties to create the fictitious policies. • *Premature revenue recognition* o Companies often accelerate the timing of revenue recognition to meet earnings or sales forecasts. Premature revenue recognition, the recognition of revenue before accounting standards requirements for recording revenue have been met, should be distinguished from cutoff errors, in which transactions are inadvertently recorded in the incorrect period. In the simplest form of accelerated revenue recognition, sales that should have been recorded in the subsequent period are recorded as current period sales. • *Manipulation of adjustments to revenues* o The most common adjustment to revenue involves sales returns and allowances. A company may hide sales returns from the auditor to overstate net sales and income. If the returned goods are counted as part of physical inventory, the return may increase reported income. In this case, an asset increase is recognized through the counting of physical inventory, but the reduction in the related accounts receivable balance is not made. Companies may also understate bad debt expense, in part because significant judgment is required to determine the correct amount. Companies may attempt to reduce bad debt expense by understating the allowance for doubtful accounts. Because the required allowance depends on the age and quality of accounts receivable, some companies have altered the aging of accounts receivable to make them appear more current.
What are the three components of the fraud triangle? Give examples of each.
• *Incentives/Pressures* - Management or other employees have incentives or pressures to commit fraud. o Personal financial obligations create pressure for those with access to cash or other assets susceptible to theft to misappropriate those assets. o Adverse relationships between management and employees with access to assets susceptible to theft motivate employees to misappropriate those assets. Examples include the following: Known or expected employee layoffs. Promotions, compensation, or other rewards inconsistent with expectations • *Opportunities* - Circumstances provide opportunities for management or employees to commit fraud. o Presence of large amounts of cash on hand or inventory items that are small, of high value, or are in high demand. o Inadequate internal control over assets due to lack of the following: Appropriate segregation of duties or independent checks. An approved vendor list to detect unauthorized or fictitious vendors. Job applicant screening for employees with access to assets. Mandatory vacations for employees with access to assets • *Attitudes/Rationalization* - An attitude, character, or set of ethical values exists that allows management or employees to commit a dishonest act, or they are in an environment that imposes sufficient pressure that causes them to rationalize committing a dishonest act. o Disregard for the need to monitor or reduce risk of misappropriating assets. o Disregard for internal controls by overriding existing controls or failing to correct known internal control deficiencies.
Auditors commonly use what three types of documents to obtain and document their understanding of internal control?
• *Narrative* - A narrative is a written description of a client's internal controls. A proper narrative of an accounting system and related controls describes four things o The origin of every document and record in the system o All processing that takes place o The disposition of every document and record in the system o An indication of the controls relevant to the assessment of control risk • *Flowchart*: An internal control flowchart is a diagram of the client's documents and their sequential flow in the organization. An adequate flowchart includes the same four characteristics identified for narratives. Well-prepared flowcharts are advantageous primarily because they provide a concise overview of the client's system, including separation of duties, which helps auditors identify controls and deficiencies in the client's system. Flowcharts have two advantages over narratives: typically they are easier to read and easier to update. It is unusual to use both a narrative and a flowchart to describe the same system because both present the same information • *Internal Control Questionnaire*: An internal control questionnaire asks a series of questions about the controls in each audit area as a means of identifying internal control deficiencies. Most questionnaires require a "yes" or a "no" response, with "no" responses indicating potential internal control deficiencies. By using a questionnaire, auditors cover each audit area reasonably quickly. The two main disadvantages of questionnaires are their inability to provide an overview of the system and their inapplicability for some audits, especially smaller ones
What are some common types of differences an auditor may see on a confirmation sent back?
• *Payment has already Been Made*: Reported differences typically arise when the customer has made a payment before the confirmation date, but the client has not received the payment in time for recording before the confirmation date. Such instances should be carefully investigated to determine the possibility of a cash receipts cutoff misstatement, lapping, or a theft of cash. • *Goods have Not Been received*: These differences typically result because the client records the sale at the date of shipment and the customer records the acquisition when the goods are received. The time that the goods are in transit is often the cause of differences reported on confirmations. These should be investigated to determine the possibility of the customer not receiving the goods at all or the existence of a cutoff misstatement on the client's records. • *The Goods have Been returned*: The client's failure to record a credit memo could have resulted from timing differences or the improper recording of sales returns and allowances. Like other differences, these must be investigated. • *Clerical errors and Disputed amounts*: The most likely types of reported differences in a client's records are when the customer states that there is an error in the price charged for the goods, the goods are damaged, the proper quantity of goods was not received, and so forth. These differences must be investigated to determine whether the client is in error and the amount of the error.
What are the four guidelines for separation of duties?
• Separation of the custody of assets from accounting • Separation of the authorization of transactions from the custody of related assets • Separation of operational responsibility from record-keeping responsibility • Separation of IT duties from user departments
The accurate recording of sales transactions concerns the following three things:
• Shipping the amount of goods ordered • Accurately billing for the amount of goods shipped • Accurately recording the amount billed in the accounting records Posting and sum - Classification - Timing
What are the four courses of action an auditor has if the population is determined to not be acceptable?
• revise TER or ARO • expand the sample size • revise assessed control risk • communicate with the audit committee or management
