ACC 450 Chapter 7
Material weakness
A deficiency in internal control such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis; communication to management and audit committee required
Significant deficiency
A deficiency in internal control that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting; communication to management and audit committee required
An engagement letter is best described as:
A letter from the auditors to company management that specifies the responsibilities of both the company and the auditors in completing the audit and timing for its completion
At the completion of the audit, the auditors are least likely to know:
Actual control risk
What are the three control risks?
Actual control risk, planned assessed level of control risk, and assessed level of control risk
Completeness refers to:
All assets have been recorded
The accounting information and communication system
An information system
Control activities
An organization will establish policies and procedures to help ensure management directives are carried out
What is an option for nonpublic companies who have not experienced change in their internal controls?
Auditors may be able to rely on evidence of operating effectiveness obtained in previous audits; in these situations, tests of controls must be performed every third audit
Implemented
Auditors must determine that internal controls have been placed in operation
Walk-through
Auditors trace one or two transactions of each major type through the system
What are the segregation of duties?
Authorization, recording, and custody
When a CPA decides that the work performed by internal auditors may have an effect on the nature, timing, and extent of the CPA's procedures, the CPA should consider the competence and objectivity of the internal auditors. Relative to objectivity, the CPA would:
Consider the organizational level to which the internal auditors report the results of their work
What are the 5 components of Internal Control?
Control environment, risk assessment, the accounting information and communication system, control activities, monitoring
Why would an auditor have a planned assessed level of control risk at the maximum level?
Controls look weak; controls appear to be correct but too costly to test
What are the 3 deficiency types in IC?
Deficiency, Significant deficiency, material weakness
What would be least likely to be considered an objective of internal control?
Detecting management fraud
Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by:
Direct participation by the owner in key record keeping and control activities of the businesses
Inquiries
Discuss with the appropriate client personnel the manner in which the control functions
Which of the following is not an advantage of establishing an enterprise risk management system within an organization?
Eliminates all risks
To have an adequate basis to issue a management report on internal control under Section 404(a) of the Sarbanes-Oxley Act, management must all, except:
Establish internal control with no material weakness
Operating effectiveness
Evaluated by performing tests of controls; determines how a control was applied, the consistency with which it was applied, and by whom it was applied
Tests of controls do not address:
How controls were originated
Planned and assessed control risk below maximum level requires:
Identifying IC procedures relevant to account or assertion and tests of controls
What are the four types of tests of controls?
Inquiries, inspection, observation, re-performance
Inspection
Inspect invoices and determine whether evidence exists that the procedures have been performed
What audits is the PCAOB finding the most problems in?
Internal control audits
Monitoring
Internal controls need to be monitored over time to determine whether they continue to be relevant and able to address new risks of the organization
A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with:
Knowledge necessary to determine the nature, timing, and extent of further audit procedures
Who should be communicated to about control related matters?
Management and audit committee
Audits of internal control over financial reporting (ICFR)
Management is to perform an assessment and evaluation of ICFR and issue its own report; The company's external auditors are to audit and report on ICFR
An entity's ongoing monitoring activities often include:
Management review of weekly performance reports
Control environment
Management's and directors' attitudes, awareness, and actions
Adverse opinion
Material weakness
What is the assessed level of control risk if no tests of controls are performed?
Maximum
What is the assessed level of control risk if tests of control performed, system found not to be operating effectively?
Maximum
If no tests of control have been performed, control risk must be assessed at:
Maximum level
Unqualified opinion
May be issued when there have been no identified material weaknesses an when there have been no restrictions on the scope of the auditor's work
What can break down internal controls?
Misunderstandings, mistakes of judgment, carelessness, and collusion/management override
What is the assessed level of control risk if tests of controls performed, system operating as anticipated?
Moderate
What is the assessed level of control risk if tests of controls performed, system operating somewhat effectively, but not as well as anticipated?
Moderate
What areas are difficult to control in IC?
Non-routine transactions and accounting estimates
What is least likely to be a test of controls?
Observation of confirmations
Observation
Observe application of the procedures being applied to the invoices several times during the year
What is the path of auditors consideration of internal control?
Obtain understanding of IC (risk assessment procedures), document understanding of IC, assess risks of material misstatement (risk assessment), design further audit procedures
Tests of controls ordinarily are designed to provide evidence of:
Operating effectiveness
What are the control activities?
Performance reviews, Information processing controls, physical controls, segregation of duties
Controls over financial reporting are often classified as preventative, detective, or corrective. What is an example of a detective control?
Preparing bank reconciliations
Re-performance
Re-perform the procedure by comparing quantities shown on each invoice to the quantities listed on the related shipping documents and by comparing unit prices to the client's price lists
As one step in testing sales transactions a CPA traces a random sample of sales journal entries to debits in the accounts receivable subsidiary ledger. This test provides evidence as to whether:
Recorded sales have been properly posted to customer accounts
Internal Control
Reliability of financial reporting, effectiveness and efficiency of operations, compliance wit applicable laws and regulations
No opinion/qualified opinion
Scope limitation
Management of Warren Company has decided to respond to a particular risk by hedging the risk with futures contracts. This is an example of:
Sharing
What is the primary focus of audits of ICFRs?
Significant accounts and disclosures and relevant assertions
What is meant by tests being cost-justified?
Spending a little money now will prevent the risk of losing more money in the long run
Which portion of an audit is most likely to be completed after the balance sheet date?
Substantive procedures
An auditor may compensate for a weakness in internal control by increasing the extent of:
Substantive tests of details
When the auditors are performing a first-time internal control audit in accordance with the Sarbanes-Oxley Act and PCAOB standards, they must:
Test controls for all significant accounts
Actual control risk
The actual, unknown, risk that a material misstatement could occur in an assertion and will not be prevented or detected on a timely basis by an entity's internal control
The audit of ICFR should be integrated with:
The audit of the F/S
The planned assessed level of control risk is at the maximum unless:
The auditor plans to perform tests of controls to obtain evidence on whether internal control operates effectively
What are the current auditors' responsibilities with regard to contacting a client's predecessor's auditors?
The current auditors should attempt communications with the predecessor auditors and ask if they had any accounting policy disagreements with the client
Assessed level of control risk
The level at which control risk is assessed for purposes of determining the scope of substantive procedures
Risk assessment
The organization's process of identifying potential risks to its financial reporting objectives and developing actions to address those risk
The preliminary assessments of control risk are often referred to as:
The planned assessed level of control risk
What factor most likely would cause a CPA to not accept a new audit engagement?
The prospective client is unwilling to make financial records available to the CPA
Control risk
The risk that the internal control will fail to prevent, or detect and correct, material misstatement
What is true about the testing direction of tests for unrecorded assets?
They typically involve tracing from source documents to journal entries
Planned assessed level of control risk
This level is lower than the maximum level when the assessed level of the risk of material misstatement presumes that controls operate effectively
Why do auditors consider internal control?
To assess the risk of material misstatement and to assess control risk and then determine the nature, timing, and extent of further audit procedures
What is the purpose of audits of ICFR?
To obtain reasonable assurance that deficiencies that would represent material weaknesses are identified
What approach should be used to identify controls to test?
Top-down approach; start at F/S level and work down to forming an opinion on effectiveness of ICFR
What symbol indicates that a file has been consulted?
Trapezoid <-> Triangle
Opinions on audits of ICFRs
Unqualified opinion, adverse opinion, disclaimer of opinion/no opinion/qualified opinion
When is assessed level of control risk at the maximum level?
When no tests of controls are performed
Deficiency
When the design or operation of a control does not allow management or employees, in a normal course of performing their assigned functions, to prevent or detect material misstatements on a timely basis; communication to management and audit committee not required
When would an auditor perform tests of controls?
When they appear effective and cost-justified