Chapter 6, Auditing Chapter 6, Auditing Chapter 6
Reportable conditions
(= significant deficiencies in design or operation) must be reported to audit committee; can be done orally.
Material Weakness
(=reportable condition in which design or operations of IC component does not reduce to low level the risk that material errors/fraud will be detected)
Control Procedures for Information Systems and Communications
--------Either manual or automated, usually evaluated by using walkthroughs Include: --------Performance reviews Compare actual with budgets, forecasts, investigate differences --------Information processing controls To check accuracy, completeness, authorization of processing of a transaction General controls, and Application Controls ------Physical controls (Secured facilities, periodic counting of assets etc) ----------Segregation of duties Segregate authorization, recording and custody of assets
Application Controls in an IT environment
-Apply to the processing specific computer applications and are part of the computer program -Apply to the processing of individual accounting applications Include: Data capture controls Must ensure that all transactions are recorded, recorded only once, rejected transactions are reentered (occurrence, completeness, accuracy) Source documents batch processing use batch #s, batch totals Direct Data Entry use a transaction log Combination Data validation controls Accuracy Processing controls Many data validation controls are performed as part of processing controls Output controls Avoid distribution to unauthorized users Distribution log Error Controls
7 factors that affect Control Environment
-Communication and Enforcement of Integrity and Ethical Values (remove incentives/opportunities to act unethical) -Commitment to Competence (job descriptions) BoD and Audit -Committee(independence,experience, interaction with auditors) Mgt.'s philosophy and operating style (conservative/aggressive selection from GAAP) -Organizational structure (org chart, job description) -Assignment of Authority and -Responsibility (chart, job description) -Human Resource Policies (hiring, training,etc.)
What are some things to consider when examining internal controls?
-Have the five components (CRIME) of IC been designed and placed in operations? -Previous experience with client, inquiry of mgt and personnel, observation -Size of entity has effect on how the 5 IC are used --HOW ?
Test of Controls Procedures Include:
-Inquiry -Inspection of documents, reports, electronic files -Observation of the application of control -Walkthroughs -Reperformance
timing of Audit Procedures
-Interim Tests of Control (staff less busy, more time to react) -Interim Substantive procedures (may increase risk of material misstatements)
Benefits of IT on IC
-Timeliness, Accuracy, consistent application of predefined rule
Substantive Strategy
-standards require that auditor gets an understanding of IC May decide to follow substantive strategy because -Controls do not pertain to an assertion -Controls are assessed as ineffective -Testing the effectiveness of controls is efficient Control risk set at maximum
Test of Controls
-test either design or operation of an internal control
Which of the following should not normally be included in the engagement letter for an audit?
A listening of the clients branch offices selected for testing
Which of the following should not normally be included in the engagement letter for an audit?
A listing of the client's branch offices selected for testing
General Controls in an IT environment
Also called supervisory, mgt. or IT controls Include controls over: Data and Network operations System software acquisition, change, maintenance Access security Application systems acquisition, development, maintenance
In planning and performing an audit, auditors are concerned about risk factors for two distinct types of fraud: fraudulent financial reporting and misappropriation of assets. Which of the following is a risk factor for misappropriation of assets?
An unreliable accounting system
Reliability of ________ controls is affected by reliability of _______ controls
Application, general
Components of Internal Control
CRIME -control Activites/procedures -risk assessment -information system -monitoring -control Environment
Tracing from source documents to journals most directly tests:
Completeness (understatement)
How do we document the understanding of IC?
Copies of procedures manuals and org charts Memorandums IC questionnaires Flowcharts
Limitations of IC
Cost should not exceed benefits Subject to: Mgt. override Errors Collusion
The primary objective of tests of details of transactions performed as substantive procedures is to :
Detect material misstatements in the financial statements
The primary objective of tests of details of transactions performed as substantive procedures is to:
Detect material misstatements in the financial statements
The risk that the auditors will conclude based on Substantive procedures that a material misstatement does not exist in an account balance when in fact such misstatement does exist is referred to as
Detection risk
The risk that the auditors will conclude, based on substantive procedures, that a material misstatement does not exist in an account balance when, in fact, such misstatement does exist is referred to as:
Detection risk
Vouching from journals(or legders) to source documents most directly test:
Existence (overstatemetn)
Which of the following best describes what is meant by the term "fraud risk factor"
Factors often observed in circumstances where frauds have occurred
Which of the following should the auditors obtain from the predecessor auditors before accepting an audit engagement
Facts that might bear on the integrity of management
Which of the following should the auditors obtain from the predecessor auditors before accepting an audit engagement?
Facts that might bear on the integrity of management
What happens if control risk is set at max or minimum?
If auditor sets control risk at the maximum (substantive strategy) assessment is documented and substantive tests are performed If auditor sets control risk below max auditor must: Identify specific controls that will be relied upon Perform test of controls Conclude on the achieved level of control risk
Which of the following elements underlies the application of generally accepted auditing standards, particularly the standards of fieldwork and reporting?
Materiality and audit risk
Which of the following elements underlies the application of generally accepted auditing standards particularly the standards of fieldwork an reporting
Materiality and auditing risk
The audit committee of a company must be made up of:
Members of the board of directors who are not officers or employees
Risk Assessment
Mgt. should consider external and internal events that may arise and affect financial reporting, consider their significance,likelihood of occurrence, and plan how to react
Low detection risk requires
More reliable evidence Most of audit work conducted at year end Extensive tests (Larger sample)
Monitoring of Controls can be done in which two ways
Ongoing or separate Ongoing: info provided by acct system is evaluated (for example: activity reports) Separate: Internal Audit
As one step in testing sales transactions, a CPA traces a random sample of sales journal entries to debits in accounts subsidiary ledger. This test provides evidence as to whether:
Recorded sales have been posted properly to customer accounts
As one step in testing sales transactions a CPA traces a random sample of sales journal entires to debits in the accounts receivable subsidiary ledger. This test provides evidence as to whether?
Recorded sales have been properly posted to customer accounts.
Client Business risk can be caused by?
Regulatory changes New personnel Rapid Growth Corporate Restructurings New Accounting Pronouncements
Reliance Strategy
Requires a more detailed understanding of IC Auditor documents understanding of IC and plans and performs tests of controls Compares achieved level of control risk with planned level Revises planned level of substantive procedures/ Documents level of control risk Performs substantive procedures
Which portion of an audit is least likely to be completed before the balance sheet date?
Substantive procedures
Three conditions generally are present when fraud occurs. Select the one below that is not one of those conditions.
Supervisory position
Three conditions generally are present when fraud occurs. Select the one below that is not one of those conditions.
Supervisory position.
The auditors are concerned about source documents that reflect valid transactions that have not been recorded in the journals. Which procedure would be most effective?
Trace from source documents to journals
The auditors are concerned about transactions that have been recorded for improper amounts. Which procedure would be most effective:
Trace from sources documents to journals or Vouch from journals to source documents
Which of the following is most likely to be an overall response to fraud risks identified in an audit?
Use less predictable audit procedures
Which of the following is most likely to be an overall response to fraud risks identified in an audit?
Use less predictable audit procedures.
The auditors are concerned about transactions that have been recorded in the journal (and subsequently in the ledgers) that are not valid - that is, a transaction is recorded, but it did not actually occur (e.g. a fraudulent overstatement of sales). Which procedures would be mos effective?
Vouch from journals to source documents
General Controls
controls over data center and network, software acquisition, maintenance, access security
Which of the following best describes what is meant by the term "fraud risk factor"
factors often observed in circumstances where frauds have occurred
The audit committee of a company must be made up of :
members of the board of directors who are not officers or employees
Planning an audit Strategy what are the two types, and how is a new client different?
must use the audit risk model to assess control risk. AR=IR *CR*DR -with a new client will wait to decide on an audit strategy until good understanding of IC. -Two types Substantive and Reliance
Assessing Control Risks
process of evaluating the effectiveness of an entity's internal control in preventing or detecting material misstatements
Application Controls
processing of individual transactions to ensure occurrence, completeness and accuracy of transaction. (for example: Is transaction properly authorized?)
Internal Control
provides reasonable assurance about the achievement of the entity's objectives with respect to: -Reliability of financial reporting -Effectiveness and Efficiency of Operations -Compliance with applicable laws and regulations
Risks of IT on IC
reliance on system that inaccurately processes data, unauthorized changes, potential loss of data
Substantive Procedures include what?
substantive AP and test of details