Auditing Exam 2
Auditing Exam 2 ACCT 4150
Popular in Auditing
verified elite notetaker
Popular in Accounting
This 33 page Study Guide was uploaded by Victoria Andreski on Saturday March 5, 2016. The Study Guide belongs to ACCT 4150 at Clemson University taught by Nancy Harp in Spring 2016. Since its upload, it has received 213 views. For similar materials see Auditing in Accounting at Clemson University.
Reviews for Auditing Exam 2
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 03/05/16
Exam 2—Auditing Chapters 4-8 CHAPTER 4—Risk Assessment Audit Risk—risk that an auditor expresses an unqualified opinion on materially misstated financial statements • Can control the risk by testing everything, but clients won’t pay for thatàthey must accept audit risk • 2 levels: o Financial statement level § Relates to risk of entire financial statements—qualitatively stated • Always want it “low” or “very low” • Look at each individual assertion o Example: inventory existence (go & physically count) o Individual account balance or class of transactions level • Auditing standards do not provide specific guidance on what is an acceptable level of audit risk • Determination of audit risk involves considerable judgment on the part of the auditor • Auditor CHOOSES (specifies) an ACCEPTABLE (maximum) level of audit risk o You control the audit risk—can get it low by doing a lot of work • Level of Assurance = 1 – Audit Risk o Inverse of audit risk o Example: 5% risk = 95% assurance Audit Risk Model AR = IR x CR x DR • Inherent Risk—susceptibility of an assertion to a material misstatement, assuming there were no related internal controls o Depends on specific assertion being tested o Not considering internal controls o Examples: § Integrity of management—do they do the right thing? § Client motivation § Accounting estimates & complex transactions § Initial vs. repeat engagement—inherent risk higher for 1 time § Results of prior audits § Other business risks • Control Risk—risk that a material misstatement would not be prevented or detected by the internal controlsà controlled by client o The riskier, the more difficult the audit will be § Want risk to be low o Examples: § Active board of directors/audit committee § Effective internal audit department § Proper computer controls § Proper segregation of duties • Detection Risk—risk that the auditor will not detect a material misstatement in an assertion o Maybe the person trusts the #s on the box of inventory and doesn’t actually open it or just checks the inventory that is the most accessible (don’t check boxes on very top shelves) o Do the wrong test or do the right test in an inappropriate way § Depends on how much work/testing you do & how effective it is o 2 types: § Sampling Risk—may not detect a material problem b/c we aren’t going to count every single piece of inventory—something you simply accept • Reduce by counting more § Nonsampling Risk • Inappropriate audit procedure • Fail to detect when using appropriate audit procedure • Misinterpreting audit results o Assumption: completeness (did everything get recorded?) § Pick the wrong test § Misinterpret audit results • Inherent & Control Risk are INDEPENDENT of the audità can’t control o Risk of material misstatement Engagement Risk—an auditor’s exposure to financial loss & damage to professional reputation rd • Client & 3 party lawsuits • Negative publicity • Even if we do everything perfect, someone can still come & sue you • Can’t control • Certain industries are riskier • Very carefully screen & choose clients to reduce risk • Always present whether or not audit is in accordance with GAAS • Auditors may gather more evidence than implied by GAAS if there is high engagement risk, but CANNOT gather less evidence than implied by GAAS if there is minimal risk • Cannot be directly controlled by auditor, although some control can be exercised through the client acceptance & continuance process Using the Audit Risk Model 1. Set a planned level of AR such that an opinion can be issued on the financial statements a. Figure out nature, timing, & extent of your audit 2. Assess the risk of material misstatement (IR x CR) 3. Use the AR equation to solve for the appropriate level of detection risk: AR = IR x CR x DR DR = AR IR x CR • Auditors use this level of DR to design audit procedures that will reduce AR to an acceptable level o When denominator gets big, result gets smallà that’s bad o The smaller the DR, the more work the auditor has (more testing) Case AR IR CR DR 1 0.05 1.00 1.00 0.05 2 0.05 1.00 0.50 0.10 3 0.01 1.00 1.00 0.01 • Qualitative terms Case AR RMM DR 1 Very low High Low 2 Low Moderate Moderate 3 Very low Low High • Can’t control RMMà can ONLY assess Limitations of the AR Model • AR model is a planning tool, but has some limitations that must be considered when the model is used to revise an audit plan or to evaluate audit resultsà just a guide • Desired level of audit risk may not actually be achieved • It does not consider potential auditor error • There is no way of knowing what the preliminary level of risk actually was Preliminary Actual or Assessment + / - Achieved Level of Risk Level of Risk The Auditor’s Risk Assessment Process • Auditors need to identify business risks & understand the potential misstatements that may result • Business Risks—risks that result from significant conditions, events, circumstances, or actions that impair management’s ability to execute strategies • Procedures (How do we gather this evidence?): o Inquiries of management, other entity personnel, & others outside the entity o Talk to client’s executives, key customers, board of directors, lawyers, etc. § Analytical Procedures—relationships that should be there • Ex: interest expense & long-term debt § Observation & Inspection • Look at board minutes, industry reports, & just anything they can • Understanding the Entity & its Environment o Nature of the entity § Entity’s organizational structure & management personnel • The more complex the structure, the more risk § Sources of funding of the entity’s operations & investment activities (capital structure, noncapital funding, & other debt instruments) § Entity’s investments § Entity’s operating characteristics (size & complexity)à major source of risk § Sources of entity’s earnings (relative profitability of key products & services) § Key supplier & customer relationships • A lot of smaller companies rely on just 1 supplier which puts a lot of pressure & risk on them o Industry, regulatory, & external factors § Industry Conditions • Market & competition (demand, capacity, & price) • Cyclical or seasonal activity • Product technology relating to entity’s products • Supply availability & cost § Regulatory Environment • Accounting principles & industry specific practices • Regulatory framework for a regulated industry • Legislation & regulation that significantly affect operations • Taxation • Government policies currently affecting conduct of business • Environmental requirements affecting industry & business § Other external factors • General level of economic activity (recession, growth) • Interest rates & availability of financing • Inflation & currency revaluation o Internal control o Objectives, strategies, & business risks o Entity performance measures Assessing the Risk of Material Misstatement Due to Error or Fraud • Errors are unintentional misstatements o Human error o Mistakes in gathering/processing financial data used to prepare financial statements o Unreasonable accounting estimates arising from oversight or misinterpretation of facts o Mistakes in the application of accounting principles relating to amount, classification, manner of presentation, or disclosure • Fraud involves intentional misstatements o Fraud risk identification process includes: § Sources of information about possible fraud • Communications among audit team • Inquiries of management & others • Analytical procedures—look at ratios • Unexpected period-end adjustments o Fraud Triangle 3 conditions usually exist when fraud occurs Opportunity to carry Attitude or Incentive or pressure out the fraud (Internal rationalization to to perpetrate fraud Controls) justify fraud • Fraudulent Financial Reporting o Risk factors relating to incentive/pressure include: § Excessive pressure for management to meet 3 party expectations § Financial stability or profitability is threatened § Management’s personal financial situation is threatened o Risk factors relating to opportunities include: § Nature of the industry or entity’s operations § Complex or unstable organizational structure § Ineffective monitoring of management • If you have a lazy board of directors or audit committee is inefficient § Deficient internal control • Segregation of duties are important o Risks factors relating to attitudes/rationalizations: § Nonfinancial management’s excessive participation in selection of accounting principles & estimates § Excess interest by management in stock prices & earning trends § Committing to aggressive or unrealistic forecasts • Get their budgets & forecasts to see how aggressive they are § Ineffective communication of ethical standards or selection of inappropriate ethical standards § Recurring attempts to justify marginal or inappropriate accounting based on materiality • If they say that “No, it’s okay, it’s only small. Quit looking at that.”à red flag § History of violations of securities laws or allegations of fraud • If client has a history of being investigated Fraud involves intentional misstatements Fraudulent Misappropriation financial of assets (aka reporting stealing) Fraudulent financial reporting includes: • Manipulation, falsification, or alteration of accounting records or supporting documents used to prepare financial statements • Misrepresentation in, or intentional omission from, the financial statements of events, transactions, or significant information • Intentional misapplication of accounting principles relating to amount, classification, manner of presentation, or disclosure Misappropriation of assets: • Theft of an entity’s assets to the extent that financial statements are misstated • Examples: o Stealing assets o Paying for goods & services not received by the company § Could set up a fake vendor that company pays that is actually the employee receiving money for fake services o Embezzling cash received • Risk Factors o Incentives/pressures o Opportunities o Attitudes/rationalization Auditor’s response to the risk assessment • To respond appropriately to financial statement level risks, the auditor may do the following: o Emphasize to the audit team the need to maintain professional skepticism § When client tells you something, be skepticalà don’t just believe everything you hear o Assign more experienced staff or those with specialized skills § If working w/ client that has more fraud risk, put more experienced worker on it instead of an intern or new staff o Provide more supervision o Incorporate additional elements of unpredictability in the selection of audit procedures § Sometimes do a surprise count of inventory so they can’t hide things or rearrange certain things § Maybe ask lower level people who don’t know to hide certain things Evaluation of Audit Test Results • At the completion of the audit, auditor should consider: 1. Whether the accumulated results of audit procedures affect the In total, assessments of the entity’s business risk & the risk of material did we do misstatement, and enough to 2. Whether the total misstatements cause the financial statements to be find a materially misstated THEN…. clean opinion? • If the financial statements are materially misstated, the auditor should: 1. Request management to eliminate the material misstatement, or 2. If management does not make needed adjustments, the auditor should issue a qualified or adverse opinion • If the auditor determines that the misstatement is or may be the result of fraud, & has determined that the effect could be material, the auditor should: o Attempt to obtain audit evidence to determine whether, in fact, material fraud has occurred and, if so, its effect § Get a sense of how big the situation is o Consider the implications for other aspects of the audit § May have to go back into already completed work to see if there are any connections o Discuss the matter & the approach to further investigation w/ an appropriate level of management that is at least one level above those involved in committing the fraud & w/ senior management o If appropriate, suggest that the client consult w/ legal counsel o Consider withdrawing from the engagement Documentation • Auditor should document: o Discussions among engagement personnel o Procedures performed to identify & assess the risks of material misstatement due to error or fraud o Fraud risks or other conditions that result in additional audit procedures o The nature, timing, & extent of procedures performed in response to fraud risks identified & the results of that work o Nature of the communications about error or fraud made to management, the audit committee, & others Communications about Fraud • When the auditor finds evidence that a fraud may exist, that matter should be brought to the attention of an appropriate level of management. Fraud involving senior management & fraud that causes a material misstatement if the financial statement should be reported directly to the audit committee of the board of directors • Auditor should reach an understanding w/ the audit committee regarding the expected nature & extent of communications about misappropriations perpetrated by lower-‐level employees • The disclosure of fraud to parties other than the client’s senior management & its audit committee ordinarily is not part of the auditor’s responsibility & ordinarily would be precluded by the auditor’s ethical & legal obligations of confidentiality, EXCEPT when the following conditions are met: o To comply w/ certain legal & regulatory requirements o To a successor auditor when the successor makes inquiries of the When you can report to 3 predecessor auditor about the client parties o In response to a subpoena o To a funding agency or other specified agency in accordance w/ requirements for the audits of entities that receive governmental financial assistance CHAPTER 5—Evidence & Documentation Management Assertions • Assertions about classes of transactions & events for the period under audit o Occurrence o Completeness o Classification o Cutoff (Is it completed in the correct period?) o Authorization o Accuracy • Assertions about end-of-the-period account balances o Existence o Completeness o Rights & obligations o Valuation & allocation • Assertions about presentation & disclosure o Classification (current or long-term?) & understandability (easy to understand instead of just using company jargon) o Accuracy & valuation o Completeness o Occurrence & rights & obligations ID Management Assertions 1. Existence or Occurrence a. Assets & liabilities exist & recorded transactions occurred b. Existence—end-of-period balanceà test by sending company a letter for them to validate i. Does the amount reported on the balance sheet actually exist? c. Occurrence—transaction sideà take samples i. Did they actually occur? d. Can either look at each transaction or just the ending balance e. Example: i. Supplies on the balance sheet physically exist 11/15 A/R 1500 Sales Revenue 1500 ii. Is the sale real? à Pull purchase orders, invoices, shipping documents, etc. iii. Test VALIDITY 1. Is it valid? 2. Is it real? 2. Completeness a. ALL transactions & accounts that should have been recorded in the F/S were recorded b. Did something not get recorded? c. Example: i. All payroll expenses that should have been recorded were recorded ii. Accounts payableà subsequent payments iii. How do we find debt that isn’t recorded b/c they want to hide it? 1. Write letters/communicate w/ banks the company uses & see how much debt they actually owe iv. Test COMPLETENESS 3. Rights & Obligations a. Assets are actually rights of the client & recorded liabilities are actually owed by the entity b. Something can exist but we may not have the right to it i. Sometimes inventory is owned on consignment c. Example: i. The client has legal title or similar rights to inventory ii. Test OWNERSHIP 4. Valuation or Allocation a. Assets, liabilities, revenues, & expenses are appropriately valued & allocated to the proper accounting period i. Related to depreciation expense b. Inventory has to be lower of cost or market—Is it valued correctly? c. Example: i. Net A/R is valued at an amount that reasonably reflects collectability ii. Taking into account the allowance for doubtful accounts iii. Test VALUATION 5. Classification & Understandability a. Financial information is appropriately presented & described, & disclosures are clearly expressed b. Example: i. Notes Payable due in less than 1 year are classified as Current Liabilities 1. Test CLASSIFICATION 2. Check to make sure that contingent liabilities are disclosed in the footnotes a. Test DISCLOSURE 6. Accuracy a. Amounts & other data relating to recorded transactions & events have been recorded appropriately b. Properly record @ correct dollar amount—is the total correct? c. Look for inaccuracies on how things are recorded d. Example: i. Foot sales journal to see if the total sales # is added correctly & matches the G/L entry ii. Test MECHANICAL ACCURACY 7. Cutoff a. Transactions & events have been recorded in the correct accounting period i. Things are being put in the right period 1. Very important for revenue b. Example: i. Check to make sure that sales are recorded in the proper period ii. Test CUTOFF iii. Examine shipments made on 12/31 & on 1/1 to see if they were recorded in the right year 1. Look @ the invoice & see if the date it was recorded on in the system matches the date goods were actually shipped Audit Evidence • All the information, from whatever source, used by the auditor in arriving at the conclusions on which the audit opinion is based o Schedules, bank statements, inventory counts, checks, letters, ratio analysis, etc. • Concepts of Audit Evidence o 1) Nature of the Audit Evidence § Form or type of evidence • Records of initial entries & supporting records • Spreadsheets supporting cost allocations • Invoices • General & subsidiary ledgers • Contracts • Adjustments to financial statements • Worksheets • Other computations, reconciliations, & disclosures o 2) Sufficiency & Appropriateness of Audit Evidence § Sufficiency—measure of the QUANTITY of audit evidence • Is it enough? • Relative to the amount of risk • Greater risk of misstatements requires a higher quantity of audit evidence (IR x CR) • Higher quality audit evidence results in a lower quantity of audit evidence (don’t need as much) o Ex: information from a 3 party • Inverse relationship of sufficiency & appropriateness § Appropriateness—measure of the QUALITY of audit evidence • Relevance—not all evidence makes sense for the assertion being test • Reliability—how much the evidence gathered can be depended on o Independent source of the evidence § Confirmation letter form 3 party (independent of client) is very reliable o Effectiveness of internal control § Outputs from client isn’t very reliable if internal controls are weak o Auditor’s direct personal knowledge § Based on what auditor personally examines & tests • High quality • Less reliable if auditor simply calls company & gets information over the phone—you should physically see/test it yourself o Documentary evidence o Original documents—best kind o 3) Evaluation of Audit Evidence § Proper evaluation of evidence requires an understanding of the: • Types of evidence available • Relative reliability of available evidence § An auditor should be thorough in searching for evidence & unbiased in its evaluation • Ex: In a sample of 50, something is weird w/ 5 of themà evaluate ALL 50, not just most or some of them • Bias is an issue when you are friends w/ or have gotten close to your clients—be skeptical Audit Procedures • A set of audit procedures prepared to test assertions for a component of the financial statements—audit program • Audit procedures for obtaining audit evidence o Inspection of records & documents § Evidence obtained from external documents is more reliable than evidence obtained from internal documents Vouching (Occurrence) Source Journal or Documents Ledger Tracing (Completeness) § Direction of testing is very important • Tracing—start from document & see if it is in the books • Vouching—start w/ books & see if what is recorded & see if there’s a valid source document showing that it actually happened o Inspection of tangible assets § Physical examination of a tangible asset • Personal knowledge—you actually go & look at it o Observation § Process of watching a process or procedure being performed by others • Watching someone else do it • You aren’t the one physically examining it o Inquiry § Consider the knowledge, objectivity, experience, responsibility, & qualifications of the individual to be questioned • Am I asking the right person? § Ask clear, concise, & relevant questions appropriately § Use open or closed questions appropriately • Open—gives them a chance to give a lot of info • Closed—yes/no answer § Listen actively & effectively § Consider the reactions & responses, then ask follow-up questions § Evaluate the response o External Confirmation § Process of obtaining a representation of information or of an existing condition directly from a 3 party § The reliability of evidence obtained through confirmations is directly affected by factors such as: • The form of the confirmation • Prior experience w/ entity • Nature of information being confirmed • Intended respondentà who is supposed to be responding? o Recalculation § Determining the mathematical accuracy of documents or records § Example: foot the journal o Reperformance § The auditor’s independent execution of procedures or controls that were originally performed as part of the internal control system o Analytical Procedures § Evaluations of financial information made by a study of plausible relationships among both financial & nonfinancial data • Get a sense to see if it’s reasonable o Scanning § Review of accounting data to identify significant or unusual items • Skim to see if there is something wrong § Example: look for weird journal entries—JE done at 4am § CAATS—helps determine red flags w/ computer system Reliability of Types of Evidence Higher Inspection of tangible assets, reperformance, recalculation (You actually doing something) Inspection of records & documents, confirmation, analytical procedures, scanning Lower Observation, inquiry (Watching someone do something or asking them about it) Audit Documentation • The auditor’s principal record of the audit procedures performed, evidence obtained, & conclusions reached • Working papers • 3 functions: o 1. To provide support for the audit report o 2. To aid in the planning, performance, & supervision of the audit o 3. To provide basis for quality reviews & evidence supporting the auditor’s significant conclusions • Should be organized so that audit team members & others can find evidence supporting financial statement accounts • Property of the auditor, including documents prepared by the client at the auditor’s request • SOX of 2002 requires audit documentation to be retained for 7 years from the completion date of the engagement Content of Audit Documentation • Demonstrate how the audit complied w/ auditing & related professional practice standards o Work must be properly planned • Support the basis for the auditor’s conclusions concerning each material financial statement assertion • Demonstrate that the underlying accounting records agreed or reconciled w/ the financial statements o Make sure the #s you audited actually shows up on the financial statements • Include a written audit program detailing audit procedures necessary to accomplish audit objectives • Enable a knowledgeable & experienced reviewer to: o Understand the nature, timing, extent, & results of audit procedures, evidence obtained, & conclusions reached o Determine who performed & reviewed the work & the dates of the work & reviews • Audit Program—set of procedures that an auditor believes are necessary to perform to express an opinion o Basis for coordinating/supervising audit o Means to control time spent on audit o Guide for entry-level employees o Evidence of proper planning o Record of work done § Sign off on work papers & initial the audit program • Most public accounting firms maintain audit documentation in 2 types of files: o Permanent files—something needed year to yearà use it ongoing § Corporate charter § Chart of accounts § Organization chart § Accounting manual § Important contracts § Internal control documentation § Terms of stock & bond issues § Prior years’ analytical procedures o Current files—more specific for THIS year’s audit § Audit plan/audit report § Audit programs § Working trial balance § Minutes of meetings § Adjusting journal entries § Reclassification journal entries § Current financial statements § Working papers supporting accounts Format of Audit Documentation • Heading o Client name o Title of the working paper o Client’s year-end date • Indexing & cross-referencing o Notations that provide a trail from financial statements to audit documents • Tick marks o Notations made next to work paper items indicating auditor/reviewer actions o Talks about things you didà descriptions Analytics • Evaluations of financial information made by a study of plausible relationships among financial & nonfinancial data • Involve comparisons of recorded amounts, or ratios developed from recorded amounts, to expectations developed by the auditor o Comparisons w/: § Industry averages § Similar businesses § Client budget, projections, forecasts § Prior periods (reasonable?) § Nonfinancial data (logical?) • Purpose o Helps auditor understand client in general o Helps evaluation of client as a going-concern o Helps identify areas for audit work o Can reduce detail testing o **Can reduce costs • Preliminary—used to assist the auditor to better understand the business & to plan the nature, timing, & extent of audit procedures • Substantive—used to obtain evidential matter about particular assertions related to account balances or classes of transactions • Final—used as an overall review of the financial information in the final review stage of the audit • Types o Trend Analysis—least precise; trends over time o Ratio Analysis—compare to industry benchmark o Reasonableness Analysis—most precise § Predict a # based on a model used—come up w/ your best guess & compare to # they report Develop an Expectation • Auditing standards require the auditor to have an expectation whenever analytical procedures are used • An expectation can be developed by using a variety of information sources: o Financial & operating data o Budgets & forecasts o Industry publications o Competitor information o Management’s analyses o Analyst’s reports Tolerable Difference • Size of difference depends on: o Significance of account o Desired degree of reliance on the substantive analytical procedures o Level of disaggregation (broken up into smaller pieces) in the amount being tested o Precision of the expectation • Amount is always less than planning materiality o Materiality of entire audit • The more confident you are in the expectation/estimate, the smaller the tolerable difference Compare & Investigate • Compare the expectation to the recorded amount & investigate any differences greater than the tolerable difference • Preliminary analytical procedures differencesà corroborating evidence is NOT required • Final analytical procedures differences—very end of audit when you look at all the ratiosà corroborating evidence is required Ratios • Short-Term Liquidity Ratios o Current ratio o Quick ratio o Operating Cash Flow ratio • Activity Ratios o Receivables Turnoverà Days outstanding in accounts receivable o Inventory Turnoverà Days of inventory on hand • Profitability Ratios o Gross Profit Percentage o Profit Margin o Return on Assets o Return on Equity • Coverage Ratios o Debt to Equity o Times Interest Earned CHAPTER 6—Internal Control in a Financial Statement Audit Internal Control • Process effected by an entity’s Board of Directors, management, & other personnel; designed to provide reasonable assurance regarding the achievement of objectives in: o Reliability of financial reporting o Effectiveness & efficiency of operations o Compliance w/ applicable laws & regulations • Management has the responsibility to maintain controls that provide reasonable assurance that adequate control exist over the entity’s assets & records • Internal Control System should: o Ensure that assets & records are safeguarded § Cash or inventory—make sure they aren’t stolen or records aren’t destroyed o Generate reliable information for decision making • Auditor needs assurance about the reliability of the data generated by the information systems • Auditor uses risk assessment procedures to: o Obtain an understanding of the entity’s internal control o Identify the types of potential misstatements o Ascertain factors that affect the risk of material misstatements o Design tests of controls & substantive procedures • Auditor’s understanding of the internal control is a major factor in determining the overall audit strategy o Has responsibility to: § Obtain an understanding of internal control AND § Assess control risk COSO Internal Control—Integrated Framework • Reliability of Financial Reporting o Generally, internal controls pertaining to the preparation of financial statements for external purposes are relevant to an audit • Effectiveness & Efficiency of Operations • Compliance w/ Laws & Regulations o Controls relating to operations & compliance objectives may be relevant when they relate to data the auditor uses to apply auditing procedures Components of Internal Control o Control Environment § Sets the tone of an organization, influencing the control consciousness of its people § Foundation of effective internal control, providing discipline & structure § Includes: attitudes, awareness, policies, & actions of management & BOD concerning the entity’s internal control & its importance in the entity § Principle 1—organization demonstrates a commitment to integrity & ethical values § Principle 2—BOD demonstrates independence from management &e exercises oversight of the development & performance of internal control § Principal 3—management establishes, w/ board oversight, structures, reporting lines, & appropriate authorities & responsibilities in the pursuit of objectives § Principal 4—organization demonstrates a commitment to attract, develop, & retain competent individuals in alignment w/ objectives § Principal 5—organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives o Entity’s Risk Assessment Process § Process for identifying & responding to business risks & the results thereof § For financial reporting purposes—how management identifies risks relevant to the preparation of financial statements that are fairly presented in conformity w/ GAAP, estimates their significance, assesses the likelihood of their occurrence, & decides upon actions to manage them § Should consider external &internal events & circumstances that may arise & adversely affect the entity’s ability to initiate, record process, & report financial data consistent w/ the assertions of management in the financial statements § Client business risk can arise or change due to the following circumstances: • Changes in the operating environment • Corporate restructuring • New personnel • New technology • International growth • Rapid growth • New accounting pronouncements • New or revamped information systems • New business models, products, or activities § Principal 6—organization specifies objectives w/ sufficient clarity to enable the identification & assessment of risks relating to objectives § Principal 7—organization identifies risks to the achievement of its objectives across the entity & analyzes risks as a basis for determining how the risks should be managed § Principal 8—organization considers thee potential for fraud in assessing risks to the achievement of objectives § Principal 9—organization identifies & assesses changes that could significantly impact the system of internal control o Control Activities § Policies & procedures that help ensure that management directives are carried out • Example: the necessary actions are taken to address risks to achievement of entity’s objectives § Control activities (automated or manual) have various objectives & are applied at various organizational & functional levels § Principal 10—organization selects & develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels • Performance reviews • Physical controls • Segregation of duties • Information processing controls • Example: putting initials next to things you complete § Principal 11—organization selects & develops general control activities over technology to support the achievement od objectives § Principal 12—organization deploys control activities through policies that establish what is expected & procedures that put policies into action o Information System & Related Business Processes Relevant to Financial Reporting & Communication § The information system relevant to financial reporting objectives (including the accounting system) consists of the procedures (automated or manual), & records established to initiate, record, process, & report entity transactions & to maintain accountability for the related assets, liabilities, & equity § Communication involves providing an understanding of individual roles & responsibilities pertaining to internal control over financial reporting § *Principal 13—organization obtains or generates & uses relevant, quality information to support the functioning of internal controls • Identify & records all valid transactions • Classify transactions properly • Measure the value of transactions properly • Record transactions in the proper period • Properly present transactions & disclosures § Principal 14—organization internally communicates information (objectives & responsibilities for internal control) necessary to support the functioning of internal control § Principal 15—organization communicates w/ external parties regarding matters affecting the functioning of internal control o Monitoring of Controls § Process to assess the quality of internal control performance over time § Assess the design & operation of controls on a timely basis & taking necessary corrective actions § Principal 16—organization selects, develops, & performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present & functioning § Principal 17—organization evaluates & communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action (including senior management & BOD, as appropriate) Planning an Audit Strategy • Audit Risk Model AR = IR x CR x DR • In applying AR Model, the auditor must assess control risk • If we can get CR low, it allows DR to be highà meaning we don’t have to plan as many or a detailed tests o Audit Risk (AR) is a set risk Substantive Strategy • After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy & set control risk at the maximum for some or all assertions because of one or all of the factors: o Controls do not perform to an assertion o Controls are assessed as ineffective o Testing the effectiveness of controls is inefficient § Takes more time trying to make risk low instead of just taking the risk Reliance Strategy • Obtain an understanding of internal control o Auditor should obtain an understanding if each of the 5 components of internal control to plan the audit, Knowledge is used to: § Identify types of potential misstatement § Pinpoint the factors that affect the risk of material misstatement § Design tests of controls & substantive procedures o 1. Understand the control environment o 2. Understand the entity’s risk assessment process o 3. Understand the information system & communications o 4. Understand control activities o 5. Understand monitoring of controls o Documenting § Procedure manuals & organizational charts • How is the company organized? § Flowcharts • Better for big picture § Internal control questionnaires § Narrative description • Have more details o 5 components are likely to be less formal in a small or midsize entity than in a large entity o Limitations of en entity’s internal control § Override of internal control by management § Human errors or mistakes § Collusion—several people working together to commit fraud • Plan to rely on internal control & assess control risk below maximum o Try to get CR low Assessing Control Risk • Identify specific controls that will be relied uponà perform test of controlsà conclude on the achieved level of control risk o There will be errors—control doesn’t have to be perfect to operate effectively o Required to test internal controls for public companies § Same auditor must audit F/S & internal controls Performing tests of controls • Inquiry of appropriate personnel o Talking to someone • Inspection of documents indicating the performance of the control o Very common o Look for sign offs § Look through huge stack of papers o Could cost the company lots of $ if not done properly • Observation of the application of control • Reperformance of the application of the control by the auditor • Documenting the achieved level of control risk o Auditor’s assessment of control risk & the basis for the achieved level can be documented using a structured working paper, an internal control questionnaire, or a memorandum Timing of Audit Procedures • Interim—anything before 12/31 o Audit procedures § Tests of controls • 1. Assertion being tested not significant • 2. Control has been effective in prior audits • 3. Efficient use of staff time § Substantive procedures • 1. Control environment • 2. Availability of information at a later date • 3. The purpose of the substantive procedure • 4. The assessed risk of material misstatement • 5. The nature of the transactions or balances & relevant assertions • 6. The ability of the auditor to perform appropriate procedures to cover the remaining period § The more significant/risky it is, the more you’ll push it to year end • Year End—when final work is completed Auditing accounting applications processed by service organizations • A client may have some or all of its accounting transactions processed by an outside service organization • Because the client’s transactions are subjected to the controls of the service organization, one of the auditor’s concerns is the internal control system in pace at the service organization • It isn’t uncommon for service organizations to have an auditor issue 1 or 2 types of reports on their operations • Example: Payroll—many companies outsource payroll to service providers o Must make sure service providers have good internal controls too • Type 1 Report o Describes the service organization’s controls & assesses whether they are suitably designed to achieve specified internal control objectives • Type 2 Report o Goes further by testing whether the controls provide reasonable assurance that the related control objectives were achieved during the period o Auditor wants to see Type 2 § Goes farther than Type 1 • An auditor may reduce CR below the maximum only on the basis of a service auditor’s Type 2 Report Communication of Internal Control-Related Matters • Material Weakness o A deficiency or combination of deficiencies in internal control where there’s a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected & corrected o Issue w/ a control o Example: problem w/ segregation of duties w/ cash • Significant Deficiency o A deficiency or combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged w/ governance o Less severe Types of Controls in an IT Environment • General Controls o More pervasive issues to entire company—big picture things o 1. Data center & network operations o 2. System software acquisition, change, & maintenance o 3. Access security o 4. Application system acquisition, development, & maintenance • Application Controls o Specific to an application o 1. Data capture controls o 4. Data validation controls o 3. Processing controls o 4. Output controls o 5. Error controls • Common Data Validation Controls—make sure the data coming in is valid o Limit test o Range test o Sequence check o Existence (validity) test o Field test o Sign test o Check-digit verification CHAPTER 7 —Auditing Internal Control Over Financial Reporting Management Responsibilities (Section 404) • Requires management of publicly traded companies to issue an internal control report, explicitly accepting responsibility for establishing & maintaining “adequate” internal control over financial reporting (ICFR) • 1. Accept responsibility for the effectiveness of the entity’s ICFR o Management’s responsibility to make internal controls effective • 2. Evaluate the effectiveness of the entity’s ICFR using suitable control criteria— COSOà framework of internal controls • 3. Support the evaluation w/ sufficient evidence (includes documentation) • 4. Present a written assessment regarding the effectiveness if the entity’s ICFR AS OF the end of the entity’s most recent fiscal year o Don’t necessarily need to be operating well for the entire year—must be fixed by 12/31 Auditor’s Responsibilities (Section 404 & AS5) • Entity’s independent auditor must audit & report on the effectiveness of ICFR • Auditor required to conduct an integrated audit of entity’s ICFR & its financial statements • ICFR o Process designed to provide reasonable assurance regarding the reliability of financial reporting & preparation of financial statements in accordance
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'