Chapter 7- Audit

Ace your homework & exams now with Quizwiz!

questionnaires are usually designed so that __ answers prominently identify weaknesses in internal control

"no"

deficiency in operation

exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively

___ alone is not sufficient to evaluate the design and control and determine whether it has been implemented

inquiry

internal control varies from corporations based on what?

organization size, nature of operations, and objectives

Section 404(a) requires each annual report (10-K), filed with the SEC to include a report which management does includes which two things regarding internal control?

1. acknowledges its responsibilities for establishing and maintaining adequate internal control over financial reporting 2. provides an assessment of internal control effectiveness as of the end of the most recent fiscal year

service auditor

A practitioner that reports on the internal controls at a service organization.

monitoring of controls

A process that assesses the quality of internal control performance over time.

internal control

A process, effected by the entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories of (1) operations, (2) reporting, and (3) compliance.

user entity

An entity that uses the services of a service organization and whose financial statements are being audited.

service organization

An organization or segment of an organization that provides services to user entities that are relevant to the user entities' internal control over financial reporting.

relevant assertions

Assertions that have a meaningful bearing on whether an account balance, class of transaction, or disclosure is fairly stated. For example, valuation may not be relevant to the cash account unless currency translation is involved; however, existence and completeness are always relevant.

incompatible duties

Assigned duties that place an individual in a position to both perpetrate and conceal errors or fraud in the normal course of job performance.

transaction cycle

The sequence of procedures applied by the client in processing a particular type of recurring transaction. The term cycle reflects the idea that the same sequence of procedures is applied to each similar transaction.

the organizational structure of an entity should separate responsibilities for

1. authorization of transactions 2. record keeping for transactions 3. custody of assets

sub objectives of internal control (sales transactions)

1. all sales transactions are recorded on a timely basis 2. sales transactions are recorded at the correct amounts in the right accounts 3. sales transactions are accurately and completely summarized in the company's books and records 4. presentations and disclosures relating to sales are properly described, sorted, and classified

risk responses fall into which categories?

1. avoidance- exiting the activity that gives risk 2. reduction- taking action to reduce the likelihood or impact 3. sharing- reducing risk likelihood or impact by transferring or sharing a portion of the risk 4. acceptance- no action because risk is tolerant

in performing risk assessment, organizations should

1. clearly specify objectives to allow the identification and assessment of risks related to those objectives 2. identify and analyze risks to the achievement of its objective to determine how they may be managed 3. consider potential fraud relating to the achievement of objectives 4. identify and assess changes that could impact potential control

the basic principles of the control environment include

1. commitment to integrity and ethical values 2. board of directors that demonstrates independence from management and exercises effective oversight over internal control 3. establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities 4. commitment to attract, develop and retain competent employees 5. holding employees accountable for internal control responsibilities

which two categories can transaction level controls be broken into?

1. general control activities- apply to all or multiple types of transactions 2. application control activities- apply to the processing of a single type of transaction

what is the 2017 ERM Framework?

1. governance and culture 2. strategy and objective setting 3. performance 4. review and revision 5. information, communication, and reporting

test of controls detect which three things?

1. how controls were applied 2. the consistency with which controls were applied 3. by whom or by what means the controls were applied

an accounting information system should

1. identify and record all valid transactions 2. describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting 3. measure the value of transactions in a manner that permits recording their proper monetary value 4. determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period 5. present properly the transactions and related disclosures in the financial statements

auditors perform tests of controls to obtain evidence about operating effectiveness of controls, what are the two approaches?

1. identify the controls likely to prevent or detect material misstatements 2. perform test of controls to determine whether they are operating effectively

the audit procedures used to test the effectiveness of internal control include

1. inquiries with appropriate personnel 2. inspection of documents and reports 3. observation of application of controls 4. re performance of the controls

procedures to obtain audit evidence about the design and implementation of relevant controls may include

1. inquiring of entity personnel 2. observing the application of specific controls 3. inspecting documents and reports 4. tracing transactions through the information system relevant to financial reporting

precision of review controls is affected by

1. level of aggregation of data (monthly or weekly) 2. frequency and consistency with which the review is performed 3. the predictability of the expectations developed by management 4. the criteria used to determine when an item or relationship is investigated

the AICPA and PCAOB state an external auditor may use the work on an internal auditor in two ways

1. obtaining audit evidence by using the internal auditors' work performed as part of their normal responsibilities 2. using internal auditors to provide direct assistance on the external audit

when documenting internal control, the auditors should include

1. overall responses to the assessed risks of material misstatement at the financial statement level 2. nature, timing, and extent of further audit procedures 3. linkage to those procedures with the assessed risks at the relevant assertion level 4. results of the audit procedures 5. conclusions reached with regard to the use of current audit evidence about operating effectiveness of controls obtained for a prior client

what are the five stages of an internal control audit?

1. plan the engagement 2. use a top-down approach to identify controls to test 3. test and evaluate design effectiveness of internal controls 4. test and evaluate operating effectiveness of internal controls 5. form an opinion on the effectiveness of internal control over financial reporting

internal control of an environment includes five components

1. the control environment 2. the risk assessment process 3. control activities 4. information system relevant to financial reporting and communication (accounting information system) 5. monitoring activities

all corporations under the jurisdiction of the SEC must maintain a system of internal control that will provide reasonable assurance that

1. transactions are executed with the knowledge and authorization of management 2. transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets 3. access to assets is limited to authorized individuals 4. accounting records of assets are compared to existing assets at reasonable intervals and appropriate action is taken with respect to any differences

what are the two types of reports that service auditors may provide?

1. type 1- a report on management's description of a service organizations system and the suitability of the design of internal controls 2. type 2- a report on management's description of a service organization's systems and the suitability of the design and operating effectiveness of controls

for repeating clients with no changes made to internal control systems, the AICPA require test of controls be performed every __ years

3

corrective control

A control established to remedy control problems (e.g., misstatements) that are discovered through detective controls.

compensating control

A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective (e.g., avoiding misstatements). Compensating controls are ordinarily controls performed to detect, rather than prevent, the original misstatement from occurring.

material weakness

A deficiency in internal control over financial reporting (or a combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis.

significant deficiency

A deficiency in internal control over financial reporting (or combination of deficiencies) that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.

fidelity bonds

A form of insurance in which a bonding company agrees to reimburse an employer for losses attributable to theft or embezzlement by bonded employees.

walk-through

A procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use.

management letter

A report to management containing the auditors' recommendations for correcting any deficiencies disclosed by the auditors' consideration of internal control. In addition to providing management with useful information, a management letter also may help limit the auditors' liability in the event a control weakness subsequently results in a loss by the client.

deficiency of internal control

A situation in which the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis

audit decision aid

A standard checklist, form, or computer program that assists auditors in making audit decisions by ensuring that they consider all relevant information or that aids them in weighting and combining the information to make a decision.

systems flowchart

A symbolic representation of a system or series of procedures with each procedure shown in sequence. Systems flowcharts are a widely used method of describing internal control in audit working papers.

integrated audit

An audit of both financial statements and internal control over financial reporting, provided by the external auditor. Required for public companies.

as of date

An audit of internal control over financial reporting assesses internal control as of a particular point in time, the "as of" date, as opposed to the entire period under audit. This date is ordinarily the last day of the client's fiscal period.

what does COSO stand for?

Committee of Sponsoring Organizations

preventive controls

Controls that deter control problems before they occur. avoid the occurrence of misstatements in the financial statements.

complementary controls

Controls that function together to achieve the same control objective.

redundant controls

Duplicate controls that achieve a control objective.

how is enterprise risk management different than internal control risk?

ERM focuses beyond internal control in managing risks

Foreign Corrupt Practices Act

Federal legislation prohibiting payments to foreign officials for the purpose of securing business. The act also requires all companies under SEC jurisdiction to maintain a system of internal control providing reasonable assurance that transactions are executed only with the knowledge and authorization of management.

separate evaluations

Monitoring procedures that are conducted periodically, typically by objective management personnel, internal auditors, or external consultants.

management review controls

Reviews conducted by the management of estimates and other kinds of financial information for reasonableness

further audit procedures

Substantive procedures for all relevant assertions and tests of controls when the auditors' risk assessment includes an expectation that controls are operating effectively, or when substantive procedures alone do not provide sufficient appropriate audit evidence.

the Treadway commission

The National Commission on Fraudulent Financial Reporting that made recommendations related to financial statement fraud and other matters in 1987.

risk tolerance

The acceptable level of variation in performance relative to the achievement of objectives. For example, a company may expect staff to respond to all customer complaints within 24 hours, but accept that up to 10 percent of complaints receive a response within 36 hours.

organizational structure

The division of authority, responsibility, and duties among members of an organization.

Planned assessed level of control risk

The level of control risk the auditors assume in designing further audit procedures, which include an appropriate combination of tests of controls and substantive procedures.

assessed level of control risk

The level of control risk used by the auditors in determining the acceptable detection risk for a financial statement assertion and, accordingly, in deciding on the nature, timing, and extent of substantive procedures.

enterprise risk management

a process used by a company to identify its risks and develop responses to them that enable it to be reasonably assured of meeting its goals

PCAOB standards about internal control testing require the auditors to obtain evidence regarding operating effectiveness ____

annually

entity-level risks

arise from external and internal factors, such as economic, regulatory, technology, and personnel factors

what factors might increase financial reporting risk?

changes in regulatory or operating environment, changes in personnel, new or revamped information system, rapid growth, changes in technology affecting production processes or information systems, new business model or products, corporate restructuring, foreign expansion, adoption or changes in accounting principles

if auditors are unable to achieve a sufficient understanding from the user entity, they should

contact the service organization, through the user entity to obtain information visit the service organization and perform necessary procedures about relevant controls obtain and consider a Service Organization Control audit report of a service auditor on the service organization's internal controls

the __ ____ may be viewed as the foundation for the internal control components

control environment

detective controls

controls designed to discover control problems that were not prevented

culture is reflected in

decision making

substantive procedures restrict ___ risk

detection

controls are ___, the controls that were adequate last year may not be this year

ever changing

deficiency in design

exists when either a control necessary to meet a control objective is missing or the existing control is not designed to operate effectively.

test of controls can either focus on ___ ___ level or ___ level

financial statement; assertion

transaction-level risks

found within divisions, operating units, or functions of the organization

___ and ___ form a basis for all other components of ERM

governance and culture

to properly perform a financial statement audit, auditors are required to determine that the major controls have been ___; they are not required to evaluate their __ ____

implemented; operating effectiveness

preventive controls often operate at the ___ transaction level, and detective controls may operate at the ____ level or at a ____ level

individual; transaction; higher

The risk of misstatement is composed of _____ risk and _____ risk.

inherent and control

why is corporate governance broader than internal controls?

it is not only concerned with effectiveness of financial reporting but is also concerned with ethical treatment of all major stockholders, compliance with laws and regulations, customary business practices and ERM

top down approach to testing internal controls

it starts with the financial statements and entity level controls- and links the financial statement elements and entity level controls to significant accounts, relevant assertions, and the major classes of transactions

example of corrective controls

maintaining backup copies of key transactions and master files to allow the correction of data entry errors

examples of work that should not be given to internal auditors includes

making required inquiries of management related to the identification of fraud risks and determining procedures to respond to such risks

for a corporation, what are the major resources of corporate governance?

management compensation systems, the board of directors, external auditors, internal auditors, attorneys, regulators, creditors, security analysts, and internal control systems

written narratives of internal control

memoranda that describe the flow of transaction cycles, identifying the employees performing various tasks, the documents prepared, the records maintained, and the division of duties

management review controls are a type of ___ control

monitoring

written narratives

more flexible than questionnaires but by themselves are practical only for describing relatively small, simple systems.

if the external auditors plan to use the internal auditors for direct assistance they should

obtain written acknowledgement from management or those charged with governance that the internal auditors will be allowed to perform the work free from any interference make sure internal auditors are competent, objective, and approaches are appropriate

which control activities are relevant to an audit

performance reviews, transaction control activities, physical controls, and segregation of duties

a well designed organizational structure provides the basis for

planning, directing, and controlling operations

specific authorizations

policies and procedures that apply to designated levels of management, such as the policy that only the plant manager can authorize overtime pay

what are examples of risks at the financial statement level?

preparation of financial statements, developing accounting estimates, preparation of notes, selection and application of significant accounting policies, IT general controls, the control environment

what is the advantage of a flowchart over a questionnaire or narrative?

provides a clearer, more specific portrayal of the client's system

the documentation of internal control usually takes the form of

questionnaires, written narratives, and flow charts

examples of detective controls

reconciliations, performance reviews, audits

the auditors evaluate the design effectiveness of management review controls by considering which two things?

relevance and the precision of controls

Section 404(b) of SOX requires

requires most companies auditors to attest to, and report on, internal control over financial reporting does not apply to companies with less than 75 million in market capitalization or 100 million in revenue the preceding year

examples of preventive controls

separation of duties, physical controls, proper authorization, employee management, e-commerce controls

Corporate Governance

set of rules, processes, and laws by which businesses are operated, regulated, and controlled

governance

sets the entity's tone, reinforcing the importance of ERM and establishing oversight responsibilities

which types of deficiencies in internal control require communication to those charged with governance in writing?

significant deficiencies and material weaknesses

management review controls involve what?

significant judgement, knowledge, and experience in comparing recorded amounts with expectations of reviewers

an organizations sets its risk appetite in conjunction with

strategy setting

in a small business, the auditor must rely much more on ___ procedures of account balances and transactions than is required for larger organizations

substantive

general authorization

the authorization given employees to handle routine transactions without special approval

what is the major difference between control objectives and management assertions?

the control objectives are broader in that they not only relate to the financial reporting but also to operations and compliance

results of the risk assessment are used to design

the nature, timing, and extent of further audit procedures

internal control over financial reporting at the top level

the overall objective is to prepare and issue reliable financial statements

a weakness of an internal control questionnaire is

their lack of flexibility

separate systems flow charts are prepared for each major ___ ___

transaction cycle

the questionnaire usually contains a separate section for each major ___ ___

transaction cycle

what is an example of a compensating control?

when a small business does not have enough people to provide appropriate segregation of duties, so the manager reviews all accounting records

the lower assessed level of control risk is only appropriate when

when the auditors have evidence on the operating effectiveness gained by performing a test of controls


Related study sets

OTC Presentations NCLEX questions

View Set

ACCT 470 Final Exam - Multiple choices

View Set

Child and Adolescent Development Test 2

View Set

Introduction to Sociology 2e Midterm (CHP. 1-7) Carl-Sandburg, Mrs.Brown

View Set

Chapter 14 smart book Management

View Set

Psychology Chapter 3 reading quiz

View Set