Auditing Exam 1

Know the eight steps in understanding business processes and risks

1. understand business objectives 2. identify business processes 3. identify key processes and key objectives of each process 4. identify and assess risks associated with Key processes (heat map) 5. identify risk responses (4 ts) 6. complete a risk/control matrix 7. prepare a risk/heat map 8. prepare a risk control map

section 302 of SOX

302 is the requirement that the CFO and CEO certify/sign off the Financial statement (no omitted information) and that they believe the document present accurate information

definition of "professional skepticism"

Auditor has a questioning mindset (when talking with management and making inquiries, when collecting evidence ask if the evidence is reliable and sufficient, reliable and relevant)

Define corporate governance role of the BOD and the audit committee, and internal audit

BOD the people, systems and processes within companies to use to ensure companies are well managed (oversight of management and to make sure risks are identified and controlled a. BOD provides oversight to internal controls over financial reporting b. Audit committee: bigger role, they interact directly with external auditor and internal auditor reports directly to them (prevents conflict of interest) c. Internal auditors are the eyes and the ears of the company

Regarding risk management, "high" and "low" loss frequency and severity are:

Defined differently for different firms

4 audit procedures that auditors use in order to gain an understanding of inherent risk associated with the client's operating environment and industry.

Inquiry: talk to everyone management, BOD, suppliers Analytical procedures: FS auditors are required to perform analytical procedures (ratios, trend analysis) Observations: walkthrough and watch employees and see how things progress Inspection: read and study documents and glen information

Define and describe what is meant by "internal control"

Internal control, as defined by COSO, is a process carried out by the entity's BOD, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: Reliability of Financial reports Effectiveness and efficiency of operations Compliance with applicable laws and regulations

define key performance indicator? why auditors must identify them when performing risk assessment.

Key performance indicators are what the client uses to monitor their own performance and the performance of its senior staff - Gives us an idea of that the client thinks are the most important risks and controls

Know the limitations of an effectives system of internal controls.

Management override of internal controls, make mistakes and don't catch them, employee collusions, cost benefit analysis

Be able to distinguish between an operating objective, an operating procedure, an audit objective, and an audit procedure.

Operating objective: To obtain goods at the right price Operating procedure: Buyers should use competitive bidding for purchases over a certain price - The auditor asks management what they are trying to achieve, what procedures they have in place, then they start planning this audit (how to do it-verify bidding occurs)

Understand the difference between operational and financial statement audits.

Operations: primarily performed by internal auditors; audit operation process not FS accounts - On both you are forming an opinion by gathering evidence and comparing to a standard

In determining whether transactions have been recorded, the direction of the audit testing should start from the:

Original source documents (test of completeness = trace forward)

Reperformance/Recalculation

Recalculation of client computations is compelling evidence. A client calculation must always be mathematically accurate.

Know the type of SOC report requested from the auditor of a service organization for all audits of public companies.

SOC 1 report (relate to Internal controls over financial reporting activities)

Know how financial statement auditing is similar and different from internal auditing.

Similar: systematic process of gathering evidence in order to form an opinion on how well this information presented by management conforms to something. - What they compare to changes Different: internal auditors prepare information for BOD and management FS auditors: for public interest (shareholders)

Which of the following statements is the most accurate regarding sufficient and appropriate documentation?

Sufficient and appropriate documentation should include evidence that the audit working papers have been reviewed

4 T's of risk response

Take it Treat it Transfer it: purchase of insurance terminate it

COSO Framework

The Control Environment sets the "tone at the top" of an organization, influencing the control consciousness of its people. It is the foundation of all other components, and, as a result, an auditor must obtain a detailed understanding of the control environment and document that understanding.

tracing

The auditor selects a basic source document and follows its processing path forward to find its final recording in a summary journal or ledger and ultimately the financial statements.

Completeness and cutoff assertion:

The objective is to establish with evidence that all transactions of the period are in the financial statements and all transactions that properly belong in the preceding or following accounting periods were excluded. Key questions include "Are the financial statements (including footnotes) complete?" and "Were all the transactions recorded in the right period?"

Accuracy (valuation) assertion:

The objective is to establish with evidence that transactions have been recorded at the correct amount. Key questions include "Were the expenses recorded at the proper dollar amount?"

Occurrence Assertion

The objective is to established with evidence that transactions giving rise to assets, liabilities, sales, and expenses actually occurred. Key questions include "Did the recorded sales transactions really occur?"

definition of "information risk"

The probability that the information circulated by a company will be false or misleading

how does the auditing process help to reduce information risk

This is why we need auditors because they provide an independent assessment of the financial statements and the conformity to GAAP

FASB

This organization work closely with AICPA, SEC, and PCABO when researching and drafting financing accounting and reporting standards

Identify three purposes of audit evidence.

To gain an understanding of the client and risks during test of controls: observe process during To produce evidence about management's assertions(substantive testing: testing dollar amounts)

Understand how the COSO Pyramid changed into the ERM Cube.

Took Risk assessment and split into four parts (identified objectives, event identification, risk assessment, risk response)

Know the difference between a Type 1 and a Type 2 SOC report.

Type 1: look at design of internal controls Type 2: look and test the design and tested effectiveness of controls

AICPA

Who writes the standards for non-public companies

PCAOB

Who writes the standards for public companies

Know how auditors identify critical risks.

With a heat map

auditing

a type of attestation, most specific, As noun: audit of FS only historical financial statements, ICFR (internal controls over financial reporting)

Know how auditors use analytical procedures, what is meant by analytical procedures and audit data analytics, and be able to perform simple analytical procedures.

a. Auditor are required to perform preliminary analytical procedures at the beginning of each audit and then they are supposed to do it again at the end of the audit once you have already done the audit and proposed adjusting journal entries and they have made them do the ratio again to make sure everything falls into line and is reasonable b. Auditor is required to develop an expectation of what the balance should be or what the ratio should be or what the trend should be before looking at management's numbers (to avoid anchoring on management's numbers) c. Ratios, trend analysis, form expectations, cluster analysis, time series (projection), regression (model line that is based of previous years) i. Test integrity of data before you perform analysis on in (junk in = junk out)

Know the responsibilities of management, those charged with governance (BOD), and external auditors for preventing, detecting, and reporting illegal acts.

a. Auditors need to understand law and regulations that apply the client and their operations and then are going to prepare an audit plan that will help them gain evidence and assurance regarding the clients compliance b. Management and board are responsible for making sure that there are polices to prevent and detect illegal acts c. Illegal acts that have a direct and material affect on the financial statement, external auditor are responsible for detecting them. d. Illegal acts that have a material but indirect affect, external auditors should find those but they are limited to performing specified audit procedure to identify noncompliance

Be able to identify a related party and why the auditor should be concerned.

a. Connected to client (affiliate, trust, family) it may not be a fair transaction b. Make sure you have internal controls to identify and disclose them so auditors can properly audit them

An audit team's responsibility would NOT include: a. Designing client's internal controls b. Documentation of understanding of a client's internal controls c. Communicating internal control weaknesses d. Assessing the effectiveness of a client's internal controls

a. Designing client's internal controls

An attestation engagement is one in which a CPA is engaged to:

a. Issue, or does issue, a report on subject matter that is the responsibility of another party NOT a. Provide tax advice or prepare a tax return based on financial information that the CPA has not audited or reviewed b. Testify as an expert witness in accounting, auditing or tax matters, given certain stipulated facts c. Assemble prospective financial statements based on the assumptions of the entity's management without expressing any assurance.

Know what is meant by trust services and which SOC reports are associated with assurance of trust services.

a. Type of assurance activity that auditors are supposed to do (if you provide services in cloud environment or utilize cloud, you want to assure clients that are secure), timely and accurate, anything we collect we keep private b. Soc report SOC 2 and Soc 3 (Soc 2 for one particular client one particular time; 3 for general use of reliability of system)

how a client's internal control and information technology can affect risk.

a. We know we have inherent risk with the use of technology like unauthorized access to computer software, data, is it a good install (loose date), if they develop inhouse software is it of quality and have good internal controls. Did you buy the right software and train people correctly b. New inherent risks with information technology, social media impacting sales, cybersecurity, virtual workforce risks

secondary controls

add mitigation, lessen risk, not primary

Entity-level control*

anything designed to catch the big controls (related to control environment - code of ethics, management overrides, risk assessment, monitor results, Bod ask good questions)

define risk

anything that keeps an organization from achieving its goals

key controls

associated with critical business objective

A list of audit procedures

audit plan

Know how auditing differs from attestation differs from assurance services

auditing is a type of attestation engagement and that all audits and attestation engagements are assurance services

Transaction-level controls *

authorization, segregation of duties, IT

Which of the following statements is correct regarding internal control? a. A well-designed internal control environment ensures the achievement of an entity's control objectives b. An inherent limitation to internal control is the fact that controls can be circumvented by management override c. A well-designed and operated internal control environment should detect collusion perpetrated by two people d. Internal control is a necessary business function and should be designed and operated to detect all errors and frauds

b. An inherent limitation to internal control is the fact that controls can be circumvented by management override

An auditor is concerned about a policy of management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor's concern? a. Matching purchase orders to accounts payable b. Verifying that approved spending limits are NOT exceeded c. Tracing sales orders to the revenue account d. Reviewing minutes of board meetings

b. verifying that approved spending limits are NOT exceeded

assurance

big bubble (includes everything) independent professional services

The definition of internal audit includes all of the following EXCEPT: a. Independence and objectivity b. Provision of assurance and consulting activity c. Determination of efficient and effective performance d. Additional value and improved operations

c. determination of efficient and effective performance

attestation

collect evidence to provide opinion SOC, historical financial statements, examination of forecasts, ICFR, procedures

inspection

commonly performed on tangible assets and also refers to the examination of records and documents. Looking at vendors' invoices for particular information is an example of: inspection of documents

observation

commonly used as a test of controls as it produces a general awareness of events in the client's offices. Auditors observe processes.

Direct correspondence with independent parties

confirmation

Control activities intended to ensure that transactions are recorded in the right period are designed to achieve the ASB assertion of:

cutoff

Which of the following payroll control activities would most effectively ensure that payment is made only for work performed? a. Require all employees to record arrival and departure by using the time clock b. Have a payroll clerk recalculate all time cards c. Require all employees to sign their time cards d. Require employees to have their direct supervisors approve their time cards

d. Require employees to have their direct supervisors approve their time cards

managements responsibility for ICFR

designing, implementing, and maintaining internal controls, and making for the auditors have what they need

Preventive controls*

deter unintended events from happening in the first place

detective controls*

discover undesirable events once they have already occurred (camera footage)

external auditors responsibility for ICFR

do an audit in conformity with the generally accepted auditing standards (SOX prohibits them from providing other services to their auditing clients except tax prep)

Audit workpapers should: a. Be properly cross-referenced b. Document work performed c. Support conclusions and recommendations d. Provide proof of proper supervision e. All of the above

e. all of the above

Which of the following is an underlying condition that in part creates the demand by users for reliable information? a. Economic transactions that are numerous and complex b. Decisions that are time sensitive c. Users separated from accounting records by distance and time d. Financial decisions that are important to investors and users e. All of these choices are correct.

e. all of these are correct

Confirmation of an AR balance provides primary evidence regarding which management assertion?

existence

Documentation prepared by independent parties and sent to the client

external-internal evidence

compensating controls

have key control that doesn't work all the time or mitigate the risk, secondary but compensates for key control

Know the definition of a key process.

if we don't get them done right the company won't be successful

Application controls including the 3 categories: relate to IT environment

input controls processing controls output controls

confirmation

involve direct correspondence with independent parties. It provides evidence of existence and rights & obligations, and sometimes valuation and cutoff

vouching

involves the examination of documents. When testing the existence/occurrence assertions, the auditor will take the vouching direction. The auditor begins with the search for evidence by focusing on transactions that have already been recorded in the financial statements. In vouching, the auditor selects an item in the financial records, usually from a journal or ledger, and follows its path back through the processing steps to its origin

define transaction-level risk

lower level type risks, unique to business process/transaction

Distinguish between the responsibilities of management and auditors regarding internal controls

management designed and implements internal controls. The audit team: document an understanding of the internal controls, communicate IC weaknesses to management

FS assertion: Existence assertion

no factices assets on book

General computing controls including the 4 categories (but not specific examples)

o Access to programs and data o Program change controls (approved and documented) o Computer operations controls: processes in place on how to process them, backup and recovery in place, o segregation of duties???

define inherent risk

raw uncontrolled risk that exists in the internal and external environment

A financial statement audit is NOT a guarantee that the financial statements are free from error or fraud. Absolute assurance can never be given; instead auditors provide __________

reasonable assurance

persuasive evidence must be ______

relevant: relates to audit objective reliable: a. different evidence has different levels of reliability Sufficient: inquiry of management is NEVER sufficient, need to do something else Anything prepared by auditor or received directly from third party is extremely reliable. Anything that started externally then given to the client then auditor is middle level, anything prepared from client is low reliability.

analytical procedures

require that the auditor evaluate a financial statement account and develop an expectation about what the account balance should be. When the auditor compares the expectation to the recorded balance, analytical procedures are being performed. Analytical procedures are required for external audits in the planning and review (i.e. completion) phases

Understand the concept of residual risk and risk appetite and the relation between the two.

residual risk should be <= risk appetite If, however, residual risk exceeds the organization's established risk appetite, then it is necessary to reevaluate the system of internal controls to determine if additional cost-effective controls can be implemented to further reduce residual risk to a level within management's risk appetite

What is residual risk?

risk that is not managed

define entity-level risk

risks that apply across the entire organization (ERM information system-access controls)

audit of details of transaction and balances

substantive procedures

Financial statement auditing is a

systematic process of objectively (unbiased) obtainging and evaluating evidence regarding assertions assertions (objectives/managements goal) about economic actions and events to ascertain the degree of correspondence between the assertions and established criteria (GAAP) and communicating the results to interested users

SOX also prohibits external auditors from providing other services to audit clients except

tax prepearation

FS assertion: Rights and obligations assertions

test to make sure assets are owned and liability are owed

Inquiry

the collection of verbal evidence from independent parties and management (i.e. interviews). Important inquiries and responses should be documented by the auditor in the workpapers. Auditors typically use inquiry procedures during the early planning stages of the engagement NEVER enough to reach an audit conclusion

Risk tolerance is:

the willingness of managers or organizations to accept risk

proceeding forward through the accounting and control system from the evidence financial statements

tracing

Business-process controls *

verification of assets, employee supervision and performance evaluations, risk assessment (Process or business activity

audit procedures that provide compelling evidence of existence

vouching and inspections of tangible assets