Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
82 Cards in this Set
- Front
- Back
Internal control definition |
a process effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the acheivement of objectives relating to operations, reporting, and compliance |
|
who is responsible for maintaining effective internal controls? |
management |
|
the auditor focuses on those controls that contribute to the ___ of external financial reporting |
reliability, timeliness, and transparency |
|
five components of internal control
|
control environment, risk assesment, control activities, information and communication, and monitoring |
|
three types of internal control |
financial reporting, regulatory compliance, and operations |
|
IC component: control environment |
set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. board and senior management set the tone at the top, influencing the control consciousness of its people, it's the foundation for all other components |
|
IC component: risk assessment |
management's identification and analysis of relevant risks related to the acheivement of its objectives (not the same as the auditor's risk assessment) |
|
IC component: control activities |
select and develop control activities that contribute to the mitigation of risks to the acheivement of objectives. the "guts" of the internal control system (SOD, co-sigining requirements, document trail) |
|
ITGC (IT general controls) |
access restrictions (passwords, locks), controls over changes to the environment (authorization, testing of changes) |
|
IT application controls |
limit and reasonable tests on inputs, data validity checks upon transfer of data |
|
management assertions |
existence/occurence, completeness, accuracy, cutoff, classification, rights and obligations, valuation and allocation, authorization |
|
IC component: information and communication |
controls related to org communication support the proper functioning of internal controls, including controls over the quality and relevance of information used w/in communication |
|
IC component: monitoring |
management's process to assess the quality of internal control performance over time (controls over controls) |
|
limitations of internal controls |
human error, collusion, management override, cost/benefit analysis |
|
low detection risk strategy |
complete work at year-end. audit tests for all significant audit assertions using physical examination, review of external documents, confirmation, and reperformance. extensive testing of significant accounts |
|
high detection risk strategy |
work at interim and year-end. corroborative audit tests using physical examination, analytical procedures, and substantive tests. limited testing of accounts |
|
deficiency in design |
a needed control is either missing or flawed |
|
deficiency in operation |
the control is designed well, but is not operating as designed |
|
SOX 404a |
management has to report the results from its own tests of the company's internal control over financial reporting, identifying any deficiencies |
|
SOX 404b |
auditor draws on management's findings and their own tests, then independently assesses and reports on internal controls (ONLY for accelerated filers) |
|
accelerated filer |
>$75mil in market capitalization/public float, have to file within 75 days of year-end |
|
large accelerated filers |
>$700mil in market capitalization/public float, have to file within 60 days of year-end |
|
non-accelerated filers |
<$75mil in market capitalization/public float, have to file within 90 days of year-end |
|
material weakness |
deficiency in ICFR such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis |
|
significant deficiency |
deficienct in ICFR that's less severe that a material weakness, yet important enough to merit attention (remote possibility) |
|
deficiency |
design or operation of a control doesn't allow employees in the normal course of performing their assigned function to prevent or detect misstatements on a timely basis (the catch-all) |
|
unqualified opinion on ICFR |
entity's internal control is designed and operating effectively (no material weaknesses) |
|
advers opinion on ICFR |
material weakness is identified |
|
history of SOX 404b |
SOX requires internal control audit of all public companies in phases (first, accelerated filers), SEC delays implementation for non-accelerated filers, Dodd-Frank permanently exempts non-accelerated filers. Then, JOBS Act exempts EGCs (Emerging Growth Companies: <1bil in rev, within 5 years of IPO) |
|
AS2 |
original standard for auditing internal controls, required a bottom-up approach (test every control, very expensive) |
|
AS5 |
replaced AS2, required a top-down, risk-based approach for auditing internal controls |
|
entity-level controls |
pervasive to the internal control system (related to control environment, over managment override, company's risk assessment process) |
|
transaction/account-level controls |
pertain to specific classes of transactions, account balances, and disclosures |
|
auditor process for testing controls |
1. walkthrough (gain basic understanding of key processes) 2. test of design (is design appropriate for given assertion) 3. test of effectiveness (is control operating as designed) |
|
Type 1 SOC-1 |
describes org's controls and assesses the design |
|
Type 2 SOC-1 |
describes org's controls, assesses the design, and provides assurance on the operating effectiveness |
|
cash internal control activities |
dual custody of cash at all times, lockbox arrangement, fidelity bonds |
|
Lapping |
cash fraud where an employee steals cash received from customer 1, then applies cash received from customer 2 to customer 1's account, then customer 3 to customer 2's account |
|
voucher packet |
purchase requisition, purchase order, receiving report, invoice (matched prior to cash disbursement authorization) |
|
audit evidence used to test cash |
cash receipts/disbursements journals, bank recs, cancelled checks, bank balance via confirmation, cutoff bank statement |
|
cancelled check |
outgoing check that has been cleared by a customer |
|
bank rec |
balance per bank + deposits in transit - outstanding cks = balance per books |
|
when checking deposits in transit |
care about existence, vouch to cutoff bank stmt |
|
when checking outstand checks |
care about completeness, trace cleared cks from cutoff stmt to client's list of OS cks |
|
check kiting |
floating of funds between bank accounts to make it appear that more cash is present --> get a schedule of bank-bank transfers |
|
audit risk |
probability of issuing an unqualified opinion on materially misstated finc stmts |
|
audit risk model |
IR x CR x DR = AR |
|
IR |
inherent risk. likelihood that (in the absence of controls) a material misstatement will enter the accounting system |
|
CR |
control risk. likelihood that a material misstatement will not be caught by the client's controls |
|
DR |
detection risk. likelihood that a material misstatement will not be caught by the auditor's procedures |
|
RMM |
risk of material misstatement = IR x CR. risk that material misstatement exists in the finc stmts before the auditor applies their substantive procedures |
|
factors affecting IR |
overall: prior problems, overall business risk account-level: dollar size, liquidity, volume and complexity of transactions, new standards, subjective estimates |
|
assessing CR |
test internal control design & effectiveness |
|
factors affecting CR |
control environment, existence/lack of effectiveness of control activities, monitoring activities |
|
factors affecting DR |
nature, timing, extent of audit procedures, sampling risk, nonsampling risk |
|
sampling risk |
risk of choosing an unrepresentative sample |
|
nonsampling risk |
risk that auditor may reach inappropriate conclusions based on available evidence (calculation or something is wrong) |
|
nature, timing, and extent with lower DR |
nature: more effective tests timing: year-end extent: more tests |
|
nature, timing, and extent with higher DR |
nature: less effective tests timing: interim extent: fewer tests |
|
if DR is low, more or less work? |
more |
|
if DR is high, more or less work? |
less |
|
if CR is higher |
DR lower - more work |
|
if IR is higher |
DR lower, more work |
|
if AR is higher |
DR higher, less work |
|
PCAOB AS 12 |
risk-based auditing approach where auditor must understand company, its environment and controls, perform analytical procedures, inquire audit committee, mgmt, and others about RMM. |
|
reasonableness test |
auditor compares estimates to recorded balances (required in prelim planning, optional in substantive testing, required in final review) |
|
horixontal analysis |
compare year-year changes |
|
vertical analysis |
changes are expressed as a "percentage of" base |
|
analytical procedure steps |
1. expectation 2. define "significant difference" 3. compare with recorded amounts 4. investigate "significant differences" 5. document each step |
|
audit team discussion (brainstorming) |
required, objective: gain understanding of previous experiences with client, how fraud might be perpetrated/concealed, procedures to detect fraud, set tone for engagement |
|
management fraud risk |
management intentionally misstates finc stmts |
|
misappropriation of assets |
employee intentionally misappropriates funds/property |
|
fraud conditions triangle |
incentive/pressure, opportunity, rationalization |
|
communication about misappropriation of assets |
at least one level about people involved |
|
communication about management fraud |
report to those charged with governence (audit committee) |
|
ethics: imperative |
focus on rules |
|
ethics: utilitarianism |
focus on consequences |
|
ethics: virtue |
action consistent with internal values |
|
basic tenets of ethicval conduct |
responsibilities, public interest, integrity, objectivity, due care, scope and nature of service |
|
AICPA code of professional conduct rule 101 |
defines covered members who can't have financial or managerial relationships in order to protect independence |
|
AICPA code of professional conduct rule 301 |
confidentiality of client information; CPA can't disclose confidential information without the client's consent |
|
AICPA code of professional conduct rule 302 |
contingent fees not permitted for attest clients and allowed for non-attest clients in some circumstances |