Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
32 Cards in this Set
- Front
- Back
define Internal Control |
process designed to provide reasonable assurance about the achievement of the entity's objectives |
|
3 categories of Entity Objectives |
1. Reliability of financial reporting 2. Effectiveness and efficiency of operations 3. Compliance with applicable laws and regulations |
|
5 components of (COSO) Internal Control |
CRIME 1. Control Environment 2. Risk Assessment 3. Info and Communication Systems 4. Monitoring 5. Existing Control Activities |
|
what is Control Environment |
sets the tone of an organization -provides discipline and structure -generated by management -organizational structure -assignment of authority, responsibility and accountability |
|
what does auditor focus on regarding the Control Environment? |
focus on SUBSTANCE rather than FORM |
|
control environment has a pervasive effect on... |
risk assessment, preliminary judgments about effectiveness may influence nature, timing and extent of further audit procedures |
|
describe Risk Assessment |
management's assessment of risk |
|
existing Control Activities |
(PAID TIPS) 1. prenumbering documents 2. authorization of transactions 3. independent checks to maintain asset accountability 4. documentation 5. timely and appropriate performance reviews 6. information processing controls 7. physical controls safeguarding assets 8. segregation of duties |
|
Segregation of Duties... what needs to be separated? |
ARC 1. Authorization 2. Record keeping 3. Custody of related assets |
|
does an audit require an understanding of all control activities? |
NO |
|
IT General Controls |
related to many applications -controls over data center and network operations -system software acquisition, change and maintenance controls -access security controls -application system acquisition, development and maintenance controls |
|
examples of General Controls |
-passwords -change management procedures -back/recovery systems -administrative rights to the network |
|
IT Application Controls |
apply to processing of individual transactions -ensure that transactions occurred, are authorized and are completely and accurately processed and reported -input/control/output |
|
examples of Application Controls |
-administrative access rights -controls over interfaces, integrations and e-commerce -checking the mathematical accuracy of records -maintaining and reviewing accounts and trial balances -automated edit checks of input data -manual follow-ups of exception reports |
|
2 types of Service Auditor Reports |
Type 1: report on Management's description of service organization's system and Suitability of Design of Controls Type 2: report on Management's description of service organization's system and Suitability of Design AND OPERATING EFFECTIVENESS of controls |
|
Type 1 Service Organization's Report |
suitability of the design of controls -doesn't provide assurance on the operating effectiveness of the controls -aids user auditor in obtaining an understanding of controls |
|
what is included in Type 1 report on service organization? |
-management's description of service organization's system -whether management's assertion fairly presents the design and implementation -controls were suitably designed -auditor's opinion on management's assertion |
|
Type 2 report on service organization |
Suitability of Design and Operating Effectiveness -reports on the design, implementation and operating effectiveness of a service organization's controls -provides user auditor with evidence that allows a reduction in the assessed level of control risk |
|
what is contained in a Type 2 report? |
-management's description of the service organization's system -whether management's assertion fairly presents the design and implementation, controls were suitability designed and operated effectively -auditor's opinion on management's assertion |
|
if auditor is unable to obtain sufficient appropriate audit evidence regarding the service organization of the company being audited, |
user auditor should issue a qualified opinion or disclaimer |
|
when does a user auditor refer to the work of a service auditor? |
only when their work modifies the user auditor's opinion |
|
design tests of details to ensure that sufficient audit evidence supports... |
the planned level of assurance at the relevant assertion level |
|
observing entity's personnel provides evidence of... |
whether IC control activities are suitably designed to prevent or detect material misstatements |
|
auditor uses knowledge of IC and final assessments of RMM to determine... |
nature, timing and extent of substantive tests |
|
what is the purpose of assessing control risk? |
to contribute to the evaluation of the RMM in the financial statements |
|
primary consideration in evaluating controls is... |
whether specific controls affect financial statement assertions |
|
auditor obtains knowledge of information system relevant to financial reporting in order to... |
understand the process used to prepare accounting estimates, understanding transactions processed, etc. |
|
the classes of transactions in the issuer's operations that are significant to the FS are assessed when... |
auditor is obtaining an understanding of the info and communication component of IC |
|
Audit Risk formula |
Audit Risk = RMM * Detection Risk |
|
RMM formula |
RMM = Inherent Risk * Control RIsk |
|
what does auditor do for Audit Risk, Detection Risk and Risk of Material Misttatement |
Audit Risk: goal is to assess it as low Detection Risk: controlled by the auditor RMM: simply assessed |
|
inverse relationship between RMM and |
Detection Risk |