Chapter 6, Auditing Chapter 6, Auditing Chapter 6

Reportable conditions

(= significant deficiencies in design or operation) must be reported to audit committee; can be done orally.

Material Weakness

(=reportable condition in which design or operations of IC component does not reduce to low level the risk that material errors/fraud will be detected)

Control Procedures for Information Systems and Communications

--------Either manual or automated, usually evaluated by using walkthroughs Include: --------Performance reviews Compare actual with budgets, forecasts, investigate differences --------Information processing controls To check accuracy, completeness, authorization of processing of a transaction General controls, and Application Controls ------Physical controls (Secured facilities, periodic counting of assets etc) ----------Segregation of duties Segregate authorization, recording and custody of assets

Application Controls in an IT environment

-Apply to the processing specific computer applications and are part of the computer program -Apply to the processing of individual accounting applications Include: Data capture controls Must ensure that all transactions are recorded, recorded only once, rejected transactions are reentered (occurrence, completeness, accuracy) Source documents batch processing use batch #s, batch totals Direct Data Entry use a transaction log Combination Data validation controls Accuracy Processing controls Many data validation controls are performed as part of processing controls Output controls Avoid distribution to unauthorized users Distribution log Error Controls

7 factors that affect Control Environment

-Communication and Enforcement of Integrity and Ethical Values (remove incentives/opportunities to act unethical) -Commitment to Competence (job descriptions) BoD and Audit -Committee(independence,experience, interaction with auditors) Mgt.'s philosophy and operating style (conservative/aggressive selection from GAAP) -Organizational structure (org chart, job description) -Assignment of Authority and -Responsibility (chart, job description) -Human Resource Policies (hiring, training,etc.)

What are some things to consider when examining internal controls?

-Have the five components (CRIME) of IC been designed and placed in operations? -Previous experience with client, inquiry of mgt and personnel, observation -Size of entity has effect on how the 5 IC are used --HOW ?

Test of Controls Procedures Include:

-Inquiry -Inspection of documents, reports, electronic files -Observation of the application of control -Walkthroughs -Reperformance

timing of Audit Procedures

-Interim Tests of Control (staff less busy, more time to react) -Interim Substantive procedures (may increase risk of material misstatements)

Benefits of IT on IC

-Timeliness, Accuracy, consistent application of predefined rule

Substantive Strategy

-standards require that auditor gets an understanding of IC May decide to follow substantive strategy because -Controls do not pertain to an assertion -Controls are assessed as ineffective -Testing the effectiveness of controls is efficient Control risk set at maximum

Test of Controls

-test either design or operation of an internal control

Which of the following should not normally be included in the engagement letter for an audit?

A listening of the clients branch offices selected for testing

Which of the following should not normally be included in the engagement letter for an audit?

A listing of the client's branch offices selected for testing

General Controls in an IT environment

Also called supervisory, mgt. or IT controls Include controls over: Data and Network operations System software acquisition, change, maintenance Access security Application systems acquisition, development, maintenance

In planning and performing an audit, auditors are concerned about risk factors for two distinct types of fraud: fraudulent financial reporting and misappropriation of assets. Which of the following is a risk factor for misappropriation of assets?

An unreliable accounting system

Reliability of ________ controls is affected by reliability of _______ controls

Application, general

Components of Internal Control

CRIME -control Activites/procedures -risk assessment -information system -monitoring -control Environment

Tracing from source documents to journals most directly tests:

Completeness (understatement)

How do we document the understanding of IC?

Copies of procedures manuals and org charts Memorandums IC questionnaires Flowcharts

Limitations of IC

Cost should not exceed benefits Subject to: Mgt. override Errors Collusion

The primary objective of tests of details of transactions performed as substantive procedures is to :

Detect material misstatements in the financial statements

The primary objective of tests of details of transactions performed as substantive procedures is to:

Detect material misstatements in the financial statements

The risk that the auditors will conclude based on Substantive procedures that a material misstatement does not exist in an account balance when in fact such misstatement does exist is referred to as

Detection risk

The risk that the auditors will conclude, based on substantive procedures, that a material misstatement does not exist in an account balance when, in fact, such misstatement does exist is referred to as:

Detection risk

Vouching from journals(or legders) to source documents most directly test:

Existence (overstatemetn)

Which of the following best describes what is meant by the term "fraud risk factor"

Factors often observed in circumstances where frauds have occurred

Which of the following should the auditors obtain from the predecessor auditors before accepting an audit engagement

Facts that might bear on the integrity of management

Which of the following should the auditors obtain from the predecessor auditors before accepting an audit engagement?

Facts that might bear on the integrity of management

What happens if control risk is set at max or minimum?

If auditor sets control risk at the maximum (substantive strategy) assessment is documented and substantive tests are performed If auditor sets control risk below max auditor must: Identify specific controls that will be relied upon Perform test of controls Conclude on the achieved level of control risk

Which of the following elements underlies the application of generally accepted auditing standards, particularly the standards of fieldwork and reporting?

Materiality and audit risk

Which of the following elements underlies the application of generally accepted auditing standards particularly the standards of fieldwork an reporting

Materiality and auditing risk

The audit committee of a company must be made up of:

Members of the board of directors who are not officers or employees

Risk Assessment

Mgt. should consider external and internal events that may arise and affect financial reporting, consider their significance,likelihood of occurrence, and plan how to react

Low detection risk requires

More reliable evidence Most of audit work conducted at year end Extensive tests (Larger sample)

Monitoring of Controls can be done in which two ways

Ongoing or separate Ongoing: info provided by acct system is evaluated (for example: activity reports) Separate: Internal Audit

As one step in testing sales transactions, a CPA traces a random sample of sales journal entries to debits in accounts subsidiary ledger. This test provides evidence as to whether:

Recorded sales have been posted properly to customer accounts

As one step in testing sales transactions a CPA traces a random sample of sales journal entires to debits in the accounts receivable subsidiary ledger. This test provides evidence as to whether?

Recorded sales have been properly posted to customer accounts.

Client Business risk can be caused by?

Regulatory changes New personnel Rapid Growth Corporate Restructurings New Accounting Pronouncements

Reliance Strategy

Requires a more detailed understanding of IC Auditor documents understanding of IC and plans and performs tests of controls Compares achieved level of control risk with planned level Revises planned level of substantive procedures/ Documents level of control risk Performs substantive procedures

Which portion of an audit is least likely to be completed before the balance sheet date?

Substantive procedures

Three conditions generally are present when fraud occurs. Select the one below that is not one of those conditions.

Supervisory position

Three conditions generally are present when fraud occurs. Select the one below that is not one of those conditions.

Supervisory position.

The auditors are concerned about source documents that reflect valid transactions that have not been recorded in the journals. Which procedure would be most effective?

Trace from source documents to journals

The auditors are concerned about transactions that have been recorded for improper amounts. Which procedure would be most effective:

Trace from sources documents to journals or Vouch from journals to source documents

Which of the following is most likely to be an overall response to fraud risks identified in an audit?

Use less predictable audit procedures

Which of the following is most likely to be an overall response to fraud risks identified in an audit?

Use less predictable audit procedures.

The auditors are concerned about transactions that have been recorded in the journal (and subsequently in the ledgers) that are not valid - that is, a transaction is recorded, but it did not actually occur (e.g. a fraudulent overstatement of sales). Which procedures would be mos effective?

Vouch from journals to source documents

General Controls

controls over data center and network, software acquisition, maintenance, access security

Which of the following best describes what is meant by the term "fraud risk factor"

factors often observed in circumstances where frauds have occurred

The audit committee of a company must be made up of :

members of the board of directors who are not officers or employees

Planning an audit Strategy what are the two types, and how is a new client different?

must use the audit risk model to assess control risk. AR=IR *CR*DR -with a new client will wait to decide on an audit strategy until good understanding of IC. -Two types Substantive and Reliance

Assessing Control Risks

process of evaluating the effectiveness of an entity's internal control in preventing or detecting material misstatements

Application Controls

processing of individual transactions to ensure occurrence, completeness and accuracy of transaction. (for example: Is transaction properly authorized?)

Internal Control

provides reasonable assurance about the achievement of the entity's objectives with respect to: -Reliability of financial reporting -Effectiveness and Efficiency of Operations -Compliance with applicable laws and regulations

Risks of IT on IC

reliance on system that inaccurately processes data, unauthorized changes, potential loss of data

Substantive Procedures include what?

substantive AP and test of details