Audit Quiz 2
Indicators of a material weakness
- Restatement of previously issued financial statements - Evidence of material misstatements (caught by the audit team) that were not prevented or detected by client's internal controls. - Ineffective oversight of financial reporting process by entity's audit committee. - Indication of fraud (either material or immaterial) by senior management.
Debrief from Freeman Manufacturing
- Take important stuff from it; free response on quiz may be application in a case like this / ABC - Risk 3 - person gathering info queried monthly info from IT system = because you can manipulate that data, it becomes an additional form of IPE and thus IT controls no longer cover it - Monthly review by executives over F/S generally not enough to detect RMM - Once assessed that the design is bad, no need to test operating --> already high RMM and thus must go to client - Could have a lower risk but still have a poor associated control - Must understand internal controls (control environment + walking through every flow of transactions for major classes such as purchases, sales, additions) bc must understand WCGW which helps with better audit from substantive, starting perspective - Certain companies must report ion internal controls (public) - COSO cube; must understand five components at front, but most of time speant with control activities bc this is details of testing; JUST USING REPORTING at top so just that little sliver - IPE = understand it and risks associated w it because can't blindly use budget / monthly reports but test to make sure complete + accurate
What two types of evidence do auditors examine when directly testing an account balance or transaction?
1) Underlying accounting data (journals, ledgers, data files, SPREADSHEETS) 2) Corroborating information (documents such as invoices, written representations from 3rd parties such as vendors, INQUIRIES of management, minutes of board meetings)
When does a deficiency in design exist?
1) a control necessary to meet the control objective is missing 2) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met THERE IS NO NEED TO TEST OPERATING EFFECTIVENESS OF A DEFICIENTLY DESIGNED CONTROL
How are audit procedures used?
1) for risk assessment procedures to understand the client's risks 2) for test of controls to test the operating effectiveness of client internal control activities 3) for substantive procedures that produce evidence about management's assertions related to amounts and disclosures of the F/S - conduct substantive procedures with substantive analytical procedures or tests of details
Steps in assessing control risk
1. Identify specific controls that will be relied upon 2. Perform tests of controls 3. Conclude on the achieved level of control risk
Objectives of audit documentation
1. Improve audit quality 2. Enhance public confidence QC
Control environment principles
1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
When must documentation be finalized after audit report release date?
45 DAYS after 45 days and finalized, documentation cannot be deleted, and additions need approval
How long must documentation be retained after the audit report release date?
7 YEARS If no report --> from last day of field work
Are tests of operating effectiveness done through interim?
Yes, but ICFR opinion is as of the year-end, so want to reduce control risk for the entire year
How is a material weakness reported?
Adverse ICFR opinion Communicate in writing to audit committee before report is issued CAN SAY "no material weaknesses exist"
The auditor should assess control risk for each relevant assertion by evaluating the evidence obtained from all sources, including: The auditor's testing of controls for the audit of internal control on a public company Any control deficiencies identified during the audit Misstatements detected during the financial statement audit All of these are correct
All of the above
Integrated Audit
An audit of both financial statements and internal control over financial reporting, provided by the external auditor, that is required for public companies Scoping is consistent between ICFR audit and F/S audit (same accounts, assertions, materiality, etc)
Information Produced by the Entity (IPE)
Any information (such as collect, process, store, report, transformed information) that is produced by the company's information systems beyond manually prepared information
What type of control is a 3-way match of A/P information by the system before payment of the invoice?
Application control Prevent control (NOT IN G/L YET --> detect would be if was already in G/L)
Computer Assisted Audit Tools and Techniques (CAATs)
Auditor can extract client info without disrupting data processing CAAT procedures include calculating field stats, performing recalculations, joining different data files, sample selection for detailed analysis
Three phases of internal control testing
Big blue diagram for steps to go through in light of five buckets of COSO framework Obtain an understanding of internal control Assessment Testing OAT
When is audit evidence more reliable?
Comes from an independent source outside the entity Obtained by the auditor directly (e.g. by observation) than indirectly (e.g. by inquiry) When it exists in documentary form "prepared contemporaneously" (occurring at the same time) If documents are original rather than copies
An auditor most likely would review an entity's periodic accounting for the numerical sequence of shipping documents and invoices to support management's financial statement assertion of:
Completeness --> starting from shipping documents and then going to F/S
To test the operating effectiveness of a control, an audit team might use a combination of each of the following tests except for: Observation of company operations Inspection of documentation Confirmation of balances Inquiry of client personnel
Confirmation of balances
Roll-forward procedures from interim to year-end
Consider control risk failure and results of interim testing, sufficiency of evidence obtained at interim, length of remaining period, possibility of control changes since interim
Control activities vs monitoring activities
Control = actions taken and procedures followed to prevent or detect errors = review, approve, analyze, check Monitoring = actions taken to ensure control activities are actually working (higher level) = evaluate production of information to assess control processes that generated the information
Controls vs Processes
Control = specific actions taken by company employees to help ensure that management's directives are carried out (actions to ensure accuracy of F/S) Processes = actions performed by accounting personnel that are not controls
The most important foundational component of an entity's internal control system is: Control Environment Compliance with applicable laws and regulations Reliability of financial reporting Effectiveness and efficiency of operations
Control Environment
Five components of evaluating if ICFR is effective, broken into 17 principles
Control Environment Risk Assessment Control Activities (majority of work) Information and Communication Monitoring Activities RICC M
Documentation of control execution
Control owner does not understand what constitutes evidence of the control Reluctance to maintain iterative documents or questions asked Availability of auditable evidence
Prevent Control vs Detect Control
Prevent = control that stops a misstatement before it is recorded in the general ledger Detect = control that identifies a misstatement in the general ledger Walkthrough documentation addresses classification of each control
What type of control is a bank reconciliation which includes an outstanding checklist?
IT dependent manual control Detect control (RECONCILING G/L with bank statements so detect)
What type of control is a CFO review of goodwill impairment memo and associated calculations?
IT dependent manual control Prevent control
Audit over ICFR
FOR PUBLIC COMPANIES audit and issue an opinion attesting to management's claim of effective internal control over ICFR involves testing controls The SEC requires publicly traded companies with at least $100 million in revenue to have their auditors complete a separate attestation of ICFR (internal control over financial reporting)and also include the auditor attestation report in their Form 10-K.
What type of documentation must be retained?
Includes documentation of differences in professional judgements among team members (so has every possible perspective on materiality for example)
Information and communication
Information necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives Communication provides organization with information needed to carry out control activities and enables personnel to understand internal control responsibilities and their importance to achievement of objectives
Documentation of control design
Inputs (information used, judgements, and criteria for investigation) Procedures (confirm accuracy of inputs and investigate where necessary) Outputs (including evidence necessary) Documentation not viewed as important / updating it not viewed as important
Steps in performing tests of controls' operating effectiveness
Inquire Observe Inspect Re-perform All have their concerns, so do as many different types as possible but do not worry if cannot do them all
Inquire
Inquire of control owner to understand all of the procedures performed in the control, including documents reviewed Validate precision of control is sufficient and procedures are consistent with design documentation Least persuasive test
Operating effectiveness procedures from least to most persuasive
Inquiry Observation Inspection Reperformance
Inspect
Inspect all the documents reviewed, looking for evidence of review (sign-offs, tickmarks, etc.), including the nature and extent of the review (items investigated, questions asked, responses to those questions, changes to the documents, etc.) Sign off DOES NOT guarantee a thorough review
Which of the following procedures would provide the most reliable audit evidence? a. Inquiries of the client's internal audit staff held in private b. Inspection of prenumbered client purchase orders filed in the vouchers payable department c. Analytical procedures performed by the auditor on the entity's trial balance d. Inspection of bank statements obtained directly from the client's financial institution
Inspection of bank statements obtained directly from the client's financial institution - c is good but not the best - analytical procedures = evaluations of financial information through analysis of plausible relationships among both financial and non-financial data (year-to-year comparison, ratio analysis, etc)
Eight Types of Audit Procedures
Inspection of records and documents (purchase order, receiving report, invoice) Inspection of tangible assets (inventory counts) Observation (of a procedure performed) External Confirmation (statements from third parties) Recalculation (of depreciation, footings in tie-out, etc) Reperformance (of controls, with tracing from invoice to journal to sub ledger to GL to TB OR seeing steps in a bank rec) Inquiry (oral or written statements from entity) Analytical Procedures
Purpose of audit documentation
Integral part of audit quality Documents the nature, timing and extent of work performed Evidence of due care Basis for conclusion Facilitates planning, performance and supervision Provides basis for review
Control operating effectiveness
Is the control operating as designed?
Factors in determining the severity of ICFR deficiencies
Likelihood (nature of accounts involved, complexity required to determine amount, susceptivity of asset to fraud) Potential magnitude (how many accounts are subject to the control, volume of activity within the account balance) Compensating controls (controls designed to account for the increased risk involved if duties cannot be segregated effectively; must operate at a level of precision to prevent or detect a material misstatement) ALL ABOUT AUDITOR JUDGEMENT
What type of control is a manager approving dinner receipt for expense reimbursement?
Manual control Prevent control
Rely vs Not-Rely Controls
Must test controls and determine they are effective in order to rely on them Rely = lower control risk = less substantive procedures needed Not-Rely = Higher control risk
Does severity in a deficiency depend on whether a misstatement actually occurred?
NO; whether there is a reasonable possibility that controls will fail to detect misstatement POTENTIAL for material misstatement is what is judged
MRC design effectiveness considerations
Objective of the review (functions to prevent / detect misstatements rather than merely identify / explain differences) Level of aggregation (control performed at a more granule level is better than higher level [analysis of revenue by location instead of total revenue] Consistency of performance (control performed routinely and consistently is more precise) Correlation to assertions (control indirectly related to assertion is less likely to detect a material misstatement [control for finding errors in A/R recordings may not operate with sufficient precision to detect errors in valuation of BDE] Predictability of expectations (have precise expectations to detect misstatements by using key performance indicators to develop the expectations) Criteria for investigation (threshold for investigating deviations from expectations relative to materiality --> lower threshold = less risk]
Observe
Observe the control owner as they do their job Least used procedure because people act differently when being watched
Auditor's Responsibility for internal control
Obtain an understanding of the five components of internal control to plan the audit, including identifying potential misstatements, pinpoint factors affecting RMM, and designing controls / substantive procedures For each fraud risk, evaluate whether controls are in place to mitigate the fraud risk Assess control risk to determine the nature, timing and extent of substantive procedures to be performed
How should auditors evaluate IPE?
Obtain evidence about completeness and accuracy of information Evaluate whether evidence is sufficiently precise for auditor's purposes
If the auditor plans to assess control risk at less than the maximum and rely on controls, and the nature, timing, and extent of further audit procedures are based on that lower assessment, the auditor must: Perform only substantive procedures. Provide additional examples of responses to assessed fraud risks relating to fraudulent financial reporting. Obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance. Assess control risk at less than the maximum for all assertions.
Obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance
Which of the following would probably not be considered an indication of a material weakness? Immaterial fraud committed by senior management Ineffective oversight by the audit committee Overproduction by the manufacturing plant Evidence of a material misstatement
Overproduction by the manufacturing plant
What are the challenges of auditing MRCs?
People (don't understand what to do, insufficient succession training, lack of documented baseline for MRC activity to establish a baseline understanding) Data quality (system and non-system reports; data used in MRC not considered in control testing, insufficient time confirming accuracy of data, data too complex / large for complex) Risk identification (insufficient detail of judgements, key assumptions, accounting areas being used in MRC / identified controls do not mitigate risk) Control design (steps too general to mitigate risk, precision level not identified, MRC depends on other unidentified controls) Documentation (of control design and of control execution) PDR CD
Which of the following controls is designed to meet the completeness assertion? Sales are dated by the computer to ensure it is included in the proper period. Prenumbering invoices, shipping documents, and sales orders. Sales orders are approved by the credit department prior to shipping goods. The sale is to a customer on the approved customer list.
Prenumbering invoices, shipping documents, and sales orders.
Audit documentation requirements
Prepared in sufficient detail to enable an experienced auditor having no previous connection with the engagement to: -Understand the nature timing, extent, and results of procedures -Determine who performed the work, date of work, reviewer and date of review -Reperform the procedures Provide a clear link to significant findings, demonstrate compliance with professional standards, support basis for conclusions for each relevant assertion, document that accounting records agree with financial statements
Control Activities Principles
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. - Performance Reviews - Physical Controls - Segregation of Duties (can't have person that distributes cash make sure cash balances) - Information Processing Controls Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives. Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and communication principles
Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. - Identify and record all valid transactions - Classify transactions properly - Measure the value of transactions properly - Record transactions in the proper period - Properly present transactions and disclosures Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.
Monitoring activities principles
Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
control risk assessment principles
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.
Ways to document the understanding of internal control
Procedures manuals and organizational charts Flowcharts Internal control questionnaires Narrative description
Re-perform
Reperform the procedures performed by the control owner Must be what the control owner did, not what they should have done
Confirmation of accounts receivable
Required by GAAS, and is assumed to have been done by audit firms
Top-Down Approach
Required by PCAOB to select which controls to test begins at F/S level and auditor's understanding of overall risks to internal control over fin. reporting then focus on entity-level controls and work down to significant accounts + related assertions
Management's Responsibility for internal control
Responsible for establishing and maintaining the internal controls over financial reporting Assess and ASSERT on the effectiveness of internal controls (for public companies)
Are roll-forward considerations the same or different for ICFR opinion and CR assessment for financial statement audit portion of integrated audit
The same
Management review controls
Reviews of calculations, valuations, assumptions, analyses prepared by others (INCLUDING THIRD PARTIES), or reviews of financial results against budgets
Audit risks related to IPE
Risk 1: The data processed by the IT application which generates the IPE is not complete or accurate (transactions that are missing or recorded inaccurately) Risk 2: The IPE extracted from the IT application is not the intended data or is not complete Risk 3: Computations or categorizations performed in the creation of the IPE from the IT application are inaccurate Risk 4: The output from the IT application into the EUC (end-user-computing) tool is modified or lost in the transfer to the tool (incomplete or inaccurate) Risk 5: The output from the IT application into the EUC tool or the output from the EUC tool is incomplete (data is missing) or inaccurate (data has been added, changed, computed or categorized incorrectly).
Which of the following tests of detail would help an auditor determine whether A/P have been misstated? Examining reported purchase returns that appear too low Examining vendor statements for amounts not reported as purchases Searching for customer-returned goods that were not reported as returns Reviewing bank transfers recorded as cash received from customers
Searching for customer-returned goods that were not reported as returns
What level of evidence of control design and operation must be maintained?
Subjective and varies with the nature of the control (i.e. is just a sign off enough??) Evidence needs to be greater for subjective controls, as these are difficult for the auditor to reperform
Pulling documentation together into one file
The auditor needs to understand its client and the client's environment: -To assess the risks inherent in the audit -To relate those risks to financial statement elements and assertions -Understand the risks of material misstatement -And then design and audit that deal with those risks All of this needs to be documented up front as part of the audit planning process and updated as the audit progresses and new information comes to light (usually included in the audit planning memorandum) JUST LIKE EXCEL SPREADSHEET for Freeman
Monitoring activities
The process of evaluating the effectiveness of an organization's system of internal control over time, including: -Periodic evaluation by internal auditing -Supervisory review of controls -Follow-up of reporting errors -Follow up of customer complaints -Audit committee inquiries
An audit team was testing source documents in the purchasing cycle and identified the following circumstances. Which of the following would be the most indicative of source document fraud? The same item code appears on different invoices from the same vendor The same invoice number appears on different invoices from the same vendor The same invoice date appears on different invoices from the same vendor The same purchase order number appears on two invoices from the same vendor
The same invoice number appears on different invoices from the same vendor
Audit documentation
The written record of the basis for the auditor's conclusions that provides the support for the auditor's representations, whether those representations are contained in the auditor's report or otherwise DOES NOT HAVE TO BE CONTAINED IN AUDIT REPORT to be documented
How is a significant deficiency reported?
Unqualified ICFR opinion Communicate in writing to audit committee before report is issued if none identified, CANNOT SAY "no sig. deficiencies exist" (we did not find any but that does not mean there are not any)
How is a deficiency reported?
Unqualified ICFR opinion Communicate in writing to management before report is issued, but no need to report to audit committee
The control activity "credit sales approved by credit department" is directed toward which transaction assertion? Valuation. Occurrence. Cutoff. Completeness.
Valuation / Accuracy
Vouching vs Tracing
Vouching = testing for existence / occurrence = going from the F/S or G/L to see in support documents if the asset exists Tracing = testing for completeness = going from the support documents or physical counts to see if all of the assets are listed on the F/S
When is it possible that inquiry alone is sufficient to roll-forward conclusion from interim to year-end?
When a low risk area is being audited and the interim is close to year end
Connection between audit evidence and quality
When evidence gathered is of higher quality, less of the evidence is required
When does internally generated evidence increase in reliability?
When internal controls for the entity are effective
Connection between audit evidence and quantity
When there is more risk, more audit evidence is required
ICFR (Internal Control over Financial Reporting)
a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP
Internal Controls and its three objectives
a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to: reliability of financial reporting effectiveness of operations compliance with regulations
When is a testing of design effectiveness done?
a test of ONE SINGLE design performed during the walkthrough
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control? a) Incompatible duties b) Management override c) Faulty judgment d) Collusion among employees
a) incompatible duties If you are setting a company's internal controls as management, you make sure that there are no incompatible duties; the other three require getting in someone's brain to actually change (personal agency), so management does not have control over these Design vs operating effectiveness
Audit working papers are indexed by means of reference numbers. The primary purpose of indexing is to: a. Permit cross-referencing and simplify supervisory review b. Support the audit report c. Determine that the workpapers adequately support findings, conclusions, and reports d. Eliminate the need for follow-up reviews
a. Permit cross-referencing and simplify supervisory review
Current files
all audit files applicable to the year under audit; bulk of the files --> every year's audit should stand on its own with enough info to support conclusion for that year Planning, Trial balance, Reporting Programs, Minutes, Memos Reconciliations, Testing
Permanent files
auditors' files that contain data of a historical or continuing nature pertinent to the current audit, information of continuing audit significance to get a general understanding of company Corporate by-laws Chart of accounts Contracts
What does IPE not include?
bank statements vendor invoices legal contracts other documents produced by 3P that are not party of entity's internal control
Manual control
controls manually performed entirely by people without the use of information from the company's system
IT dependent manual control
controls that are performed by people utilizing information produced by the entity NOT JUST IF GO BACK TO INVOICE ITSELF, but if put into the system
Application control
controls that are performed entirely by a computer; nonconfigurable (straight out of computer system that company does not modify) vs configurable
COSO (Committee of Sponsoring Organizations) Cube Framework
criteria used to assess effectiveness of ICFR (similar to GAAP for F/S) Includes: 1) three objectives of internal controls (operations, reporting, compliance), five components of internal control, and the structure of the entity into 17 principles that must be met to conclude ICFR is effective
If internal control is properly designed, the same employee may be permitted to: a) Receive and deposit checks and also approve write-offs of customer accounts b) Approve vouchers for payment and also sign checks c) Reconcile the bank statements and also receive and deposit checks d) Sign checks and also cancel supporting documents
d) Sign checks and also cancel supporting documents (affirming you paid the invoice and are thus cancelling the invoice)
Which of the following statements about internal controls is true a. Properly maintained internal control reasonably ensures that collusion among employees cannot occur b. The establishment and maintenance of internal control are important responsibilities of the internal auditor c. Exceptionally effective internal control is enough for the auditor to eliminate substantive procedures on a significant account balance d. A limitation of internal control is that management makes judgments about the extent of controls it implements
d. A limitation of internal control is that management makes judgments about the extent of controls it implements
Which of the following is usually included or shown in the audit documentation? a. The procedures used by the auditor to verify the personal financial status of members of the client's management team b. Analyses that are designed to be a part of, or a substitute for, the client's accounting records c. Excerpts from authoritative pronouncements that support the underlying generally accepted accounting principles used in preparing the financials d. A summary of how significant findings were addressed
d. A summary of how significant findings were addressed
Material weakness in an ICFR
deficiency in internal control so that there is a reasonable possibility that a material misstatement will not be prevented or detected and thus go into F/S if a control does not work one time, assume it always does not work in preventing misstatements and that everything could have been misstated that was subject to that control
Significant deficiency in an ICFR
deficiency in internal control that is less severe than a material weakness but it is still important enough that the audit committee should be aware of it MORE JUDGEMENTAL on part of auditor
A company should have a control to compare the Price List Master File to an official price source for accuracy every time it- select the most appropriate answer: once a year once a quarter every time the Company changes prices every time the Company invoices a customer
every time the Company changes prices
Deficiency in ICFR
exists when design or operation of a control does not allow management or employees, in the normal course of duties, to prevent or detect any possible misstatement on a timely basis design or operating deficiency FIRST THING YOU DO is evaluate the severity of the deficiency on the auditor's control risk assessment for that assertion
Walkthrough
following a transaction from origination through the company's processes until reflected in the financial records, using same documents and IT that company personnel utilize objectives: 1) understand flow of transactions related to relevant assertions, 2) "what could go wrong" analysis to identify points where misstatement could arise, 3) design effectiveness of controls implemented to address WCGW
Order of least to most reliable evidence
inquiry of appropriate personnel observation of the company's operations inspection of relevant documentation re-performance of the control.
Control risk assessment
management's identification and analysis of relevant risks to achievement of its objectives consider possible changes in external environment and within its own business model
What is the population used for sampling in testing operating effectiveness
number of times the control SHOULD HAVE operated, which may be impacted by the number of control owners
audit planning memorandum
pre-audit memo that contains information like name of the client, assessment of the risk, materiality concern, performance materiality concern, and procedures of the audit that led to a decrease in the chances of material misstatements
Proper segregation of duties
separating these functions in a process: authorization of a transaction recording of the transaction in the accounting system custody of assets associated with transaction
Control activities
the actions established by procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out; CONTROLS WITHIN THE COMPANY PERFORMED BY COMPANY performed at all levels of entity and at various stages within business process
Control environment
the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization board of directors and senior management establish the tone at the top regarding the importance of internal control
Control design effectiveness
whether the control, if operated as prescribed, satisfies the control objectives and can prevent or detect material misstatements the control's description should be detailed with many steps and differentiated from the process which the control covers