Mid-term
What are the differences between an integrated audit for public companies (PCAOB standard 5) & non-public companies (AT 501)
...
What standards provide guidance for performing the internal control portion of an integrated audit for an non-public company
AT 501
Strong indicator or significant deficiency in hiring and promotion procedures
Failure to perform substantive background investigations for individuals being considered for employment or promotion to a position of trust
Auditors have traditionally relied primarily on evidence from substantive procedures rather than testing controls in audit areas when a substantive approach was considered the most cost-effective approach (is this still allowed with PCAOB-5?)
No, since auditors now must report on the effectiveness of internal control
When a client has multiple locations, must the auditors design and perform tests at all locations
No, the auditor should assess the risk of material misstatement to the financial statements of each location and base the amount of testing on the degree of risk
Strong indicator or significant deficiency in mgmt code of conduct/ethics
Non-existence code of code that fails to address conflicts of interest, related party transactions, illegal acts, and monitoring by management and the board
How may these two difference (financial vs internal control) be reconciled in an integrated audit?
PCAOB Standard No.5, for purposed of the internal control audit, allows the auditor to obtain evidence about operating effectiveness at different times throughout the year- provided that the auditors update those test or obtain other evidence that the controls still operated effectively at the end of the year
Can auditors use the work of others (ex. if client personnel have already performed certain procedures that the auditors had intended)
Yes, because PCAOB standard No.5 allows auditors to use the work of others
If management prior to year end indentifies a material and corrects this before year end, can the auditors issue an unqualified opinion on internal control?
Yes, but only if the auditors have sufficient evidence to provide reasonable assurance that the new control is operating effectively (much easier for controls that happen frequently as opposed to monthly or quarterly)
Are the types of tests of controls performed for an internal control audit the same as those performed for a financial statement audit?
Yes, the auditor must consider the differences in the objectives of the test
May the evidence from test performed for an internal control audit be used for the financial statement audit?
Yes, the auditor must consider the differences in the objectives of the test
Auditors can issue what in addition to the separate report
a combined report for both financial statements and internal audit
Scope limitations may result in either
a disclaimer or withdrawal from the engagement depending on the extent of the limitation
What is an example of a direct effect control
a monitoring control that detects only large misstatement
what types of account are more prone to fraud
accounting estimates & non-routine transactions
Management's report on internal control is incomplete or improperly presented & report does not acknowledge a material weakness indentified by the auditor
adverse
Material weakness exists
adverse
The auditor report is already
adverse due to the existence of a material weakness
Walk throughs can be performed________
alone or supervise the work of others who provide assistance to them
One or more material weaknesses in internal control result in
an adverse opinion
For example, it the material weakness is not indentified until after year end, then what type of opinion would be issued
an adverse opinion (timing is very important)
Systems approach
an approach which heavy reliance on internal control evidence
Why is audit committee important
an effective audit committee exercises oversight responsibility over both financial reporting and internal control
The auditors must test controls every year
and cannot rotate analysis of various transaction types between various years
accounting estimates
are activities involving management's judgment or assumptions, such as determining the allowance for doubtful accounts, estimating warranty reserves, and assessing assets for impairment
Entity-Level Controls
are those included in the control environment or monitoring components of internal control
Relevant assertions for an account
are those that have a meaningful bearing on whether the account is presented fairly
Major classes of transactions
are those that materially affect significant financial statement accounts, either directly through entries in the general ledger or indirectly through the creation of rights or obligations that may or may not be recorded in the general ledger
Transaction cycles
are those transaction flows that have a meaningful bearing on the totals accumulated in the company's significant accounts and, therefore, have a meaningful bearing on relevant assertions
The objective of tests of controls for a financial statement audit is to
assess control risk
Strong indicator or significant deficiency in audit committee
audit committee passively conducts oversight, it does not actively engage the topic of fraud.
Should communication to management and the audit committee happen before or after the audit report
before the audit report
When the principal auditors decide to refer in their report to the work of the other auditors, this reference is included
both in describing the scope of the audit and in expressing an opinion
What must be considered in the evaluation of are significant deficiencies or material weaknesses
both quantitative and qualitative factors
What is an example of a performance measure designed to tract the operation of controls
budgets
The auditor specifically (for testing design of controls)
considers whether the controls, if functioning, would reduce the risks to an appropriately low level
When is communication in writing necessary to management
control defficieny, sig defficieny, & material weakness
The auditors test the design effectiveness of controls by
determining whether the company's controls, if operating properly, satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements
Controls may have either a_____ or ______ effect on the likelihood of misstatement
direct or indirect
Scope restriction
disclaimer or withdraw from engagement
What entity level controls are emphasized in Standard No. 5
entity level controls relating to audit committee effectiveness, fraud, and the period end financial reporting process
Two objectives
evaluate design of control to identify controls and risks, evaluate the operation of the control
In all cases in which the work of others is used the auditors should
evaluate the competence and objectivity of those individuals and test the work they have performed
Compensating control
exists to either prevent or detect the possible misstatement
Control deficiency
exists when the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis
Strong indicator or significant deficiency in remediation
failure to take appropriate and consistent remedial actions with regard to identified significant deficiencies, material weaknesses, actual fraud, or suspected fraud
In the case of detection of significant deficiencies or material weaknesses have been identified, the auditors must obtain assurance that such deficiencies
have not resulted in undetected material misstatements
For example
identification of a material misstatement in the financial statements is considered; indicative of at least a significant deficiency in internal control
When would an audit of the financial statements not access the operation effectiveness of a control
if it is accessed at the maximum level
Additional examples of substantive findings that might affect the internal control audit are
illegal acts, related party transactions, the reasonableness of accounting estimates, and the client's overall selection of accounting principles
Historically, auditors minimized testing of controls aimed at preventative controls and emphasized the testing of detective controls to save on costs in a financial statement audit (how does this relate to the audit over internal control?)
in an audit of internal control, the auditors are more likely to use an approach that includes testing of both preventative and detective controls
Even though a control presents low risk overall in that there is a low inherent risk, a low degree of complexity, few changes in controls, and the previous revealed no deficiencies
in such a case the auditors may determine that sufficient evidence of operating evidence could be obtained by performing a walk-through
Complementary controls
in that they work together to achieve a particular control objective
Strong indicator or significant deficiency in mgmt internal audit
inadequate communication, involvement, and interaction with the audit committee
Strong indicator or significant deficiency in mgmt whistleblower program
inadequate process for responding to allegations of suspicions of fraud
Strong indicator or significant deficiency in mgmt internal audit
inadequate scope of activities
Strong indicator or significant deficiency in mgmt code of conduct/ethics
ineffective communications to all covered persons
Procedures utilized in testing the design effectiveness of controls
inquiry of appropriate personel, observation of the company's operations, and inspection of relevant documentation
All internal control systems no matter who well designed have
internal control limits
A walk-through _______& may be the________
involves literally tracing a transaction from its origination through the company's information system until it is reflected in the company's financial reports, most effective way to obtain an understanding of the likely sources of misstatement
Significant deficiency
is a control deficiency, or a combination of control deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough o merit attention by those responsible for oversight of the company's financial reporting
Material weakness
is a control deficiency, or combination of control deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis
Significant defficieny
is less severe than a material weakness, yet important enough to merit the attention of the audit committee
If deficiencies have been identified, then the ________ is key to indentifying the proper opinion to issue
likelihood and potential amount of misstatement
Self-assessment procedures
made by employees and management
What are the steps to engage an auditor subsequent to a material weakness
management must first gather sufficient evidence to demonstrate that the material weakness has been eliminated, document this evident, and provide a written assertion stating that the material weakness no longer exists
What type of situation may a non-public company engage in an integrated audit
management of the non public company may be considering taking the company public in the relatively near future
Do you need more testing for manual controls or automated controls
manual controls
What types of weaknesses must be communicated to the audit committee
material & significant defficienies
After a change in auditors, the successor auditors may issue such a report(subsequent to advere report, to gain clean opinion), but they first
must obtain a sufficient understanding of the entity and the related material weakness
What must auditor do in regards to period end reporting process
must thoroughly evaluate this process, including the manner in which financial statements are produced, the extend of information technology involved, who participated from management, the locations involved, and the types of adjusting entries and oversight by appropriate parties
An unqualified audit opinion may be issued when
no material weaknesses in internal control have been identified as existing at the as of date (year-end) and when there have been no restrictions on the scope of the auditor's work
Strong indicator or significant deficiency in mgmt whistleblower program
no program for anonymous submissions
Are nonpublic companies required to undergo integrated audits
no required, but the option is available
Does inquiry alone provide sufficient evidence to support the operating effectiveness of a control
no, auditors should substantiate the responses to inquires by performing other procedures, such as inspecting reports or other documents relating to the inquiries
Can substantive tests be omitted completely in areas in which controls have been found to operate effectively
no, regardless of the assessed level of control risk, the auditors must perform substantive procedures for all relevant assertions related to all significant accounts and disclosures
Does the tone at the top have a direct effect
not for any particular assertion, may lead to more effective lower control performance and decrease other testing
The objective of test of controls in an audit of internal control is to
obtain evidence about the effectiveness of controls to support the auditors' opinion on whether management's assessment of the effectiveness of internal control (a point in time)
non-rountine transactions
occur only periodically
What distinguishes entity level controls from other controls designed to achieve the specific objectives
pervasiveness
What are the five stages of the audit
plant the engagement, use a top-down approach to identify controls to test, test and evaluate design effectiveness of internal control, test & evaluate operating effectiveness of internal control & form an opinion on the effectiveness of internal control
Ex of compensating control
reconciliation of cash accounts by a competent individual who is otherwise independent of the cash function
Example, a weakness in cash disbursements can be mitigated by what type of compensating control
reconciliation of the bank account by an individual otherwise independent of the cash function
routine transactions
recurring activities
Direct effect controls allow auditors to
reduce, but not eliminate, the testing of other controls
What risk is associated when using the work of others
relatively low-risk areas
What is an example of a non entity level control
requiring accounting for all shipping documents
The results of substantive procedures may affect the ______ of substantive procedures & the results of substantive procedures may affect______the audit of internal control
scope &
Strong indicator or significant deficiency in mgmt accountability
senior management conducts effective oversight of antifraud programs and controls
The auditors who are able to serve as principal auditors of the financial statements ordinarly
serve as principal auditors of internal control
What are the four type of controls over issues that have a heightened risk of fraud
significant unsusual transactions, related party transactions, significant management estimates, & incentives for management to falsify or inappropriately manage financial results
"top down approach"
starts at the top, the financial statements and entity-level controls and links the financial statement elements and entity level controls to significant accounts, relevant assertions and to the major class of transactions
The integrated nature of nature of the two audits suggests that
testing should be spread throughout the year
PCAOB standard No.5 requires the auditor to obtain sufficient evidence about the effectiveness of controls for all relevant assertions related to all significant accounts means
that the auditor must design procedures to provide a high level of assurance that the controls related to each relevant assertion are operating effectively
Auditors must consider not only the misstatements indentified, but also
the amount that could occur with a reasonable possibility
If, while performing the engagement( subsequent to adverse report, to gain clean opinion) the auditors discover an additional material weakness, the auditors should inform
the audit committee and the matter, but they are not required to modify their report
What is the difference between the audit of internal control and the consideration of internal control in financial statement audit
the audit of internal control is considered about the effectiveness of internal control at a point in time (as of date) (controls performed significantly less than the entire year), as opposed to the financial statement audit where internal control helps plan the audit and to assess control risk for the entire transactions occurring throughout the year to provide sufficient evidence to support the opinion on internal control and asses control risk
In deciding how to design tests of operations effectiveness
the auditor must focus on; the nature, timing and extent of the tests (NET)
To fulfill the objective of the test of controls in an audit of internal control
the auditor must obtain evidence about the effectiveness of controls over the relevant assertions for all significant accounts and disclosures in the financial statements
If management does not disclose a material weakness properly
the auditor should state that the material weakness is not included in management's assessment and describe it in the audit report
How is an adverse opinion be expressed
the auditor's report must define a material weakness, indicate that one has been indentified, and refer to the description of it in the management's report
When management believes that the material weakness has been eliminated (after math of adverse opinion)
the auditors may be engaged to report on whether the material weakness continues to exist
How is the report on internal controls reported
the auditors may issue separate reports on the financial statements and internal control or a combined report
As an example, if controls over the recording of revenues are considered ineffective
the auditors must determine whether the audit procedure designed into their audit program must be modified to obtain more evidence about the fairness of revenue
When management's report on internal control is found to be inadequate
the auditors should modify their report to include an explanatory paragraph describing the reasons for this determination
Tests of the operating effectiveness of control determine whether
the control functions as designed and whether the person performing the control possesses the necessary authority and qualifications
The auditors generally must merely extend the tests to cover (internal control provides significant evidence for every sig transaction)
the financial statement period in order to assess control risk at a low level for purposes of the financial statement audit
Generally, the more frequently controls operate
the more auditors should test them
When the auditors' original report included other material weaknesses that are not being considered in this engagement
the report should be modified to disclose that the other weaknesses are not addressed by the opinion
In addition to utilizing the "cumulative audit knowledge" (knowledge obtained from prior audits) to trim work, the auditors should consider
the various risk factors related to a control as well (NET, the results of previous years testing of controls, & whether there have been changes in the control, or the significant process in which it operates, since the previous audit
The auditor should test those controls that are important to
their conclusion about whether the company's controls sufficiently address the risk of misstatement for each relevant assertion
An account is significant if
there is a reasonable possibility that it could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering both the risks of understatement and overstatement
If the auditors decide to assess control risk at less than the maximum
they are required to obtain evidence that the relevant controls operated effectively during the entire period upon which they plan to place reliance on
What are auditors responsible for in regards to subsequent events
they have the responsibility to make inquires of management about whether there have been any such changes
What happens when the auditors conclude that the oversight of the company's external financial reporting and internal control over financial reporting is ineffective
they must communicate that conclusion in writing to the board of directors
If the auditors are unable to determine the effect of the subsequent event
they should issue a disclaimer
If the auditors obtain knowledge of subsequent events that materially and adversely affect the effectiveness of internal control
they should issue and adverse opinion
In an event that the auditors indentify a material weakness and management takes steps to correct the material weakness prior to year-end, if the auditors are unable to obtain sufficient evidence that the new controls are effective for a sufficient period of time
they will issue a disclaimer of opinion on internal control
If there is a reasonable possibility that a material weakness could occur
this is a material weakness
Redundant controls
those that duplicate other controls
A compensating control lowers a significan deficiency to what level
to a control deficiency
Standard No. 5 states that the auditors should vary the exact tests performed when possible
to introduce unpredictability into the audit process
What are examples of entity level controls
tone at the top, assignment of authority and responsibility, and corporate codes of conduct, technology general controls over program development, program changes, and computer controls
Material weakness existed during the year, system changed prior to the as of date, auditors do not have sufficient time to test new system
treat as scope restriction
The auditor's test can be performed only at the time the controls are operating (true or false)
true
Material weakness existed during the year, system changed prior to the as of date, auditors test new system and material weakness eliminated
unqualified
Other issues
unqualified (but with an explanatory paragraph)
What kind of report can the auditor issue after they find that a previous adverse opinion is now possessing effective controls
unqualified report indicating that the material weakness no longer exists
For controls that happen only periodically it may be necessary to wait
until after the date of management's report to test them
What is an example of a relevant assertion
valuation may be very relevant to determining the amout of A/R, but it is not ordinarily relevant to cash unless currency translation is involved
Report on subject matter and/or assertion? Only on subject matter Subject matter or assertion when no material weakness exists
when a material weakness exists, subject matter
The auditors must also consider qualitative factors
when evaluating materiality
Examples of qualitative factors include
whether the weakness relates to related party transactions and whether there are changes in account characteristics in relation to the prior year
Strong indicator or significant deficiency in mgmt whistleblower program
whistleblower program significantly defective in design or operation
Is the auditor responsible for the work of others
yes, and they cannot share responsibility with those others