Auditing Chapter 7
As-of date
A concept applied to internal control reporting by the Sarbanes-Oxley Act of 2002 and PCAOB Standard No. 5. The internal control reports of both management and the auditors are as of the final day of the reporting period—the "X."
Corrective Control
A control established to remedy control problems (e.g., misstatements) that are discovered through detective controls.
Compensating control
A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective (e.g., avoiding misstatements). "X" are ordinarily controls performed to detect, rather than prevent, the original misstatement from occurring.
Material weakness
A deficiency in internal control over financial reporting (or a combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis.
Significant deficiency
A deficiency in internal control over financial reporting (or combination of deficiencies) that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
Fidelity Bonds
A form of insurance in which a bonding company agrees to reimburse an employer for losses attributable to theft or embezzlement by bonded employees.
Service Auditor
A practitioner that reports on the internal controls at a service organization.
Walk-through
A procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and reperformance of controls.
Internal Control
A process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories of (1) operations, (2) reporting, and (3) compliance.
Management letter
A report to management containing the auditors' recommendations for correcting any deficiencies disclosed by the auditors' consideration of internal control. In addition to providing management with useful information, a management letter may also help limit the auditors' liability in the event a control weakness subsequently results in a loss by the client.
Integrated Audit
An audit where auditors, in addition to an opinion on the financial statements, express an opinion on the effectiveness of a company's internal control over financial reporting, in accordance with PCAOB Auditing Standard No. 5 . Public companies with a market capitalization of $75,000,000 or more are required to undergo integrated audits.
User auditor
An auditor that audits and reports on the financial statements of a user entity.
User entity
An entity that uses the services of a service organization and whose financial statements are being audited.
Service organization
An organization or segment of an organization that provides services to user entities that are relevant to the user entities' internal control over financial reporting.
Relevant assertions
Assertions that have a meaningful bearing on whether an account balance, class of transaction, or disclosure is fairly stated. For example, valuation may not be relevant to the cash account unless currency translation is involved; however, existence and completeness are always relevant.
Incompatible duties
Assigned duties that place an individual in a position to both perpetrate and conceal errors or fraud in the normal course of job performance.
Risk assessment procedures
Audit procedures performed to obtain an understanding of the client and its environment, including its internal control. Some of the information obtained by performing these procedures may be used by the auditor as audit evidence to support assessments of the risks of material misstatement. Risk assessment procedures include ( a ) inquiries of management and others within the entity, ( b ) analytical procedures, and ( c ) observation and other procedures, including inquiries of others outside the entity.
Detective Controls
Controls designed to discover control problems soon after they occur.
Preventive controls
Controls that deter control problems before they occur.
Complementary controls
Controls that function together to achieve the same control objective.
Internal Auditors
Corporation employees who design and execute audit programs to test the effectiveness and efficiency of all aspects of internal control. The primary objective of internal auditors is to evaluate and improve the effectiveness and efficiency of the various operating units of an organization rather than to express an opinion as to the fairness of financial statements.
Suitable criteria
Criteria are the standards or benchmarks used to measure and present the subject matter and against which the CPA evaluates the subject matter. Suitable criteria are established or developed by groups composed of experts that follow due process procedures, including exposure of the proposed criteria for public comment. Suitable criteria must have each of the following attributes: objectivity, measurability, completeness, and relevance.
Redundant controls
Duplicate controls that achieve a control objective.
Foreign Corrupt Practices Act
Federal legislation prohibiting payments to foreign officials for the purpose of securing business. The act also requires all companies under SEC jurisdiction to maintain a system of internal control providing reasonable assurance that transactions are executed only with the knowledge and authorization of management.
Internal control questionnaire
One of several methods of describing internal control in audit working papers. "X" are usually designed so that "no" answers prominently identify weaknesses in internal control.
Substantive procedures (tests)
Procedures performed by the auditor to detect material mis-statements in account balances, classes of transactions, and disclosures.
Test of controls
Procedures performed by the auditor to test the operating effectiveness of controls in preventing or detecting material misstatements at the relevant assertion level. These tests are performed when the auditor's risk assessment includes an expectation of the operating effectiveness of controls, including circumstances in which planned substantive procedures alone do not provide sufficient appropriate audit evidence.
Further audit procedures
Substantive procedures for all relevant assertions and tests of controls when the auditors' risk assessment includes an expectation that controls are operating effectively. The auditors perform risk assessment procedures to obtain an understanding of the client and its environment, including internal control. They then conduct a risk assessment and determine the appropriate further audit procedures.
Control Risk
The possibility that a material misstatement due to error or fraud in a financial statement assertion will not be prevented or detected by the client's internal control.
Inherent Risk
The risk of material misstatement of a financial statement assertion, assuming there are no related controls.
Transaction cycle
The sequence of procedures applied by the client in processing a particular type of recurring transaction. The auditors' working paper description of internal control often is organized around the client's major transaction cycles.
Deficiency in internal control
A situation in which the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis. A deficiency in design exists when either a control necessary to meet a control objective is missing or the existing control is not designed to operate effectively. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
Audit decision aid
A standard checklist, form, or computer program that assists auditors in making audit decisions by ensuring that they consider all relevant information or that aids them in weighting and combining the information to make a decision.
Systems flowcharts
A symbolic representation of a system or series of procedures with each procedure shown in sequence. "X" are a widely used method of describing internal control in audit working papers.
Written narrative of internal control
A written summary of internal control for inclusion in audit working papers. Written narratives are more flexible than questionnaires, but by themselves are practical only for describing relatively small, simple systems.
Risk Tolerance
The acceptable level of variation in performance relative to the achievement of objectives. For example, a company may expect staff to respond to all customer complaints within 24 hours, but accept that up to 10% of complaints receive a response within 36 hours.
Organizational structure
The division of authority, responsibility, and duties among members of an organization.
Planned assessed level of control risk
The level of control risk the auditors assume in designing further audit procedures, which include an appropriate combination of tests of controls and substantive procedures.
Assessed level of control risk
The level of control risk used by the auditors in determining the acceptable detection risk for a financial statement assertion and, accordingly, in deciding on the nature, timing, and extent of substantive procedures.
