Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
64 Cards in this Set
- Front
- Back
|
What are the four steps in the planning process?
|
Client Acceptance and continuance
Establishing an understanding with the client Preliminary engagement activities Plan the Audit |
|
|
Why are doing acceptance/ continuance procedures and investigation important?
|
To determine if we want to be associated with this client (entity's business risk and firm's engagement risk)
|
|
|
What are some things to do to determine whether you want to accept a new client or continue to audit them?
|
talk to prior auditor
client integrity any disagreements in past with auditors fraud, illegal acts litigation |
|
|
What is the relationship between materiality, risk and use of internal auditors?
|
Lower materiality and less risk can use internal auditors more and to help you
High materiality and high risk you want to do yourself |
|
|
What do you do for establishing an understanding with the client?
|
Engagement letter.
Say what your going to do and the services you are going to provide. Say if we cant get audit dont reasonably not going to issue a report estimated cost not going to look at every transaction |
|
|
What do you do for preliminary engagement activity?
|
engagement team selection
consider complexity, industry specialization, independence |
|
|
What do you do for planning the audit?
|
-overall audit strategy/plan (risk assessment, preliminary materiality, nature/timing/extent of work)
-determine need for specialists -consider illegal acts' -identify related parties -conduct preliminary analytics |
|
|
What are three types of tests prepared for the audit program?
|
-Risk assessment procedures
-tests of controls -substantive tests |
|
|
What are two types of tests of controls?
|
Design: are controls properly designed to prevent/ detect material weakness
Operating effectiveness: are controls operating effectively |
|
|
Is control testing required?
|
-Public companies- yes
-private companies- No, as long as no reliance to be placed on controls. However still must be considered and documented |
|
|
What are some things auditors do to test controls?
|
-inquiries
-inspect documents -observe -re-perform/ recompute |
|
|
What are substantive tests?
|
-Test account balance and activity (looking for $ errors)
-Two types: Analytics & test of details |
|
|
What are the three types of analytical procedures? Which one is the most reliable and least reliable?
|
-Trend, ratio, reasonableness
-Trend is least reliable and reasonableness is most reliable |
|
|
What do you need to do for substantive testing?
|
-Determine an expectation. disaggregate information if possible, look for relationships that are plausible and predictable. Info must be reliable
-Determine tolerable differences. findings need to be equal to or less than this amount -If finding greater than tolerable differences then need to further investigate to determine if client wrong or analytic is not accurate -document approach and finding thoroughly |
|
|
What are test of details?
|
classes of transactions, balances, financial statement disclosure
|
|
|
What are the three approaches of testing?
|
-Better controls working prob dont need as much substantive testing
-If controls arent working as well need to do more substantive testing -Do lots of control testing and lots of substantive testing (bc high risk and or high materiality) |
|
|
Describe the Audit test hierarchy.
|
-Obtain an understanding
-identify business/audit risk -document understanding of IC -Gather evidence (test controls, substantive analytics, test of details) -Audit Opinion |
|
|
Describe the Assurance bucket
|
Fill with:
1) risk assessment procedures 2) test of controls 3) substantive analytics 4) Remaining assurance from test of details |
|
|
What are internal controls?
|
-methods/ procedures deigned and effected by BOD/MGMT to provide reasonable assurance
-not all directly related to audit |
|
|
What are the 5 components of Internal Control - Reliance Approach?
|
-Control environment
-Entity's risk assessment procedures -Control procedures -Information system relevant to financial reporting and communication -monitoring of controls |
|
|
What does understanding control environment deal with?
|
-tone of organization
-integrity and ethical values -participation of BOD/ AC mgmt philosophy and style towards risk and controls |
|
|
What are control activities?
|
-general IT controls
-Application IT controls (individual applications) -physical security -duty segregation |
|
|
What are some info systems and communication risks?
|
-Hardware, software, people, procedures
-access to data/hardware/software -changes to files/programs -more complex than IT system |
|
|
What are three ways that controls can be overcome
|
-mgmt override
-human errors -collusion |
|
|
Name some ways of documentation
|
-procedure manuals
-organization charts -narratives/memos -control questionnaires -flowcharts |
|
|
What are the steps of assessing control risk?
|
-identify controls we plan to rely on
-test those controls -conclude regarding "achieved/acceptable level of risk" -If test results dont allow you to conclude controls are operating as expected then need to revise a planned level of audit procedures and rely more on substantive testing |
|
|
What are service bureaus and the difference between type 1 and type 2 tests?
|
-provide services to someone else
-Type 1 tests: service bureau auditor simply document controls that are in place -Type 2 tests: service bureau auditor would document controls and test their controls |
|
|
What is a control deficiency and the three types?
|
-Design and operation of control does not allow management to find it and fix it
-Material weakness -Significant deficiency -Minor deficiency |
|
|
When doing substantive analytical procedures what is the first step that must be completed?
|
Develop and expectation
|
|
|
What is mgmt's responsibility under section 404 of SOX regarding ICFR?
|
-mgmt responsibility of ICFR and reports anually in annual report to shareholders on Form 10-K
-evaluation effectively by COSO -must have supporting documentation and evidence |
|
|
What is the auditors responsibility under section 404?
|
We also have to test ICFR.
Integrated audit= test I/C and F/S at the same time |
|
|
Who is responsible for ICFR implementation and reliability?
|
Implementation-mgmt and board of directors
Reliability- mgmt |
|
|
What are control, design, and operating deficiency?
|
-control deficiency: when design or operation of a control does not allow mgmt/employees, in normal course of business/ doing their duties to prevent or detect a misstatement on a timely basis
-Design deficiency: control is missing or if present not designed properly to meet control objective -Operating deficiency: control is properly designed but does not operate as designed or when person performing control does not have authority or competence to perform control effectively. |
|
|
What are material weakness, significant deficiency, and minor control deficiency
|
Material weakness: worst- reasonable chance something will slip through
Significant deficiency: not as bad as material weakness, but still bad Minor control deficiency: insignificant |
|
|
What must you do before you conclude there is a SD/MW?
|
you must consider compensating controls
|
|
|
What are the four requirements that management must comply with in order for its registered public accounting firm (external auditors) to complete an audit of ICFR?
|
-accept responsibility for the effectiveness of the entity's ICFR
-evaluate the effectiveness of the entity's ICFR using suitable control criteria -Support the evaluation with sufficient evidence, including documentation -present a written assessment regarding the effectiveness of the entity's ICFR as of the end of the entity's most recent fiscal year |
|
|
management's assessment process to issue THEIR report on ICFR must use...?
|
-an accepted framework on IC (usually COSO) external auditors cannot participate
-identify financial reporting risks and related controls -decide which locations/business units to test (not based on materility but rather on both risk and materiality, esp risk) -test controls that address risks idetified -communicate results to mgmt, AC, external auditors -documentation of policies |
|
|
What is the process of management correcting a material weakness as part of the assessment of ICFR called?
|
Remediation
|
|
|
What does the idetification of a misstatement in FS audit mean?
|
-may mean there is a SD/MW
-however just bc mistatement is NOT identified doesnt mean there are none -Also having a material weakness does not mean an error HAS occurred, only that it could occur and not be detected/prevented |
|
|
What are the steps in the audit of a ICFR?
|
-plan the audit of IFCR
-Identify controls to test using a top-down, risk-based approach -test the design and operating effectiveness of selected controls -evaluate identified control deficiencies -form an opinion on the effectiveness of ICFR |
|
|
As an auditor what do you do during the planning process of the engagement of an IFCR?
|
-evaluate mgmts process . do not have to test and/or report on mgmt work
-must consider and ultimately test for fraud -consider scaling concerns -using work of others is OK if you do proper investigation, testing -must consider materiality as in f/s audit |
|
|
What does the auditor do to gain understanding of ICFR (top down risk based approach)?
|
-gather info on controls
-understand entity level controls -understand period-end reporting process -identify significant accts/discl/assersions. Must consider risk of understatement as well as overstatement -identify likely sources of misstatement -walkthroughs |
|
|
Does the auditor test controls of an IFCR?
|
selects controls to test to cover significant accts/assersions/processes
-do not have to test all controls just key controls to sufficiently address misstatement to each relevant -may test PREVENTATIVE or DETECTIVE controls -must also decide which location to test |
|
|
How does the auditor test design effectiveness of an IFCR?
|
-inquiry
-observation -walkthroughs -inspect documents |
|
|
What do auditors need to be aware of when concluding on IFCR?
|
be aware of of mgmt's and IA's testing reults as well and how they may effect your results, but not need to test mgmts work nor opine on their opinion.
|
|
|
Do SD or MW need to be reported?
|
If not fixed or fixed but not enough time to test if it works, then will either be SD (no required external reporting) or MW (adverse opinion on IFCR would be issued by external auditor in Form 10-k)
|
|
|
Who is to be informed about MW, SD, and minor deficiencies?
|
-Auditor must communicate in writing any MW and or SD to AC and MGMT
-also must report any MW in client's annual report on form 10k -minor deficiencies must be reported in writing to mgmt at least and perhaps AC -scope limitations if significant must have opinion disclaimer on ICFR SD- |
|
|
Must an auditor issue a adverse opinion if MW found?
|
-if one or more MWs, opinion must be adverse
|
|
|
Who should fraud be reported to?
|
level of mgmt above that committing the fraud. Also report with audit committee best answer because they want to know
|
|
|
What are the four steps of a lawsuit?
|
-occurrence
-investigation -file suit -resolution |
|
|
What are some common (case) law- client claims?
|
-No guarantees
-breach of contract -negligence (must meet 4 requirements) |
|
|
What is the difference btw contributory and comparative negligence?
|
-Contributory: if plaintiff is partially at fault, he/she is not allowed any recovery of damages
-Comparative: allows jury to assess relative fault. plaintiff then collects some portion of damages |
|
|
What are damages?
|
-compensatory or punitive. Only civil not criminal
-proportionate liability (defendant pays their portion) -joint and several (defendant can pay their portion and other defendant's portion) |
|
|
What are some common (case) law -3rd party claims?
|
-Negligence
-Fraud |
|
|
What do you need to prove to make a negligence claim?
|
-Duty owed by auditor
-we breached that duty -Direct connection btw us not doing our duty and a loss -actual loss suffered |
|
|
What is privity, near privity, foreseen 3rd party, and reasonably foreseeable 3rd party
|
-privity: if you dont have a contract then you dont have privity and cannot follow a claim
-near privity: saying talked with the auditors about client. Hard to prove auditors talked to you -foreseen 3rd party: Most commonly used. Auditors reasonably knew 3rd party was going to see financial statements -Reasonably foreseeable 3rd party: Not fair. Auditor reasonably knew 3rd party was going to see financial statements |
|
|
What is the 33 Act: initial filings Section 11?
|
do not have to prove negligence, fraud, reliance on audit opinion, contractual relationship. Only need to prove loss suffered by investing in the rtegistered security and the f/s contained material misstatements or missions.
Shifts burden of proof to auditor |
|
|
What is the 34 Act: recurring filings?
|
10b5 must prove material/factual misrepresentation or omission, reliance by plaintiff on f/s, damages, scienter (intent)
Under section 18 liable if you make a false or misleading statement in document filed with SEC |
|
|
What is the Private Litigation Reform Act?
|
1995 no more fishing expeditions and formally created the concept of proportionate liability
|
|
|
What is the Securities Litigation Uniform Standard act of 1998?
|
cannot move class action suits from federal to state courts to get a more favorable outcome
|
|
|
What is Sarbanes Oxley?
|
Quarterly Sec 302 signoffs by CEO/CFO and annual Sec 906 signoff by CEO/CFO re fairness of f/s and compliance with laws and regs
|
|
|
What is FCPA?
|
management cannot bribe foreign officials to obtain/retain business. If auditor becomes aware must report to BOD
|
|
|
What is RICO?
|
treble damages can be assessed by court
|
|
|
Under statutory law can you be held civilly or criminally liable?
|
Both
|
