• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/82

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

82 Cards in this Set

  • Front
  • Back

Internal control definition

a process effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the acheivement of objectives relating to operations, reporting, and compliance

who is responsible for maintaining effective internal controls?

management

the auditor focuses on those controls that contribute to the ___ of external financial reporting

reliability, timeliness, and transparency

five components of internal control

control environment, risk assesment, control activities, information and communication, and monitoring

three types of internal control

financial reporting, regulatory compliance, and operations

IC component: control environment

set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. board and senior management set the tone at the top, influencing the control consciousness of its people, it's the foundation for all other components

IC component: risk assessment

management's identification and analysis of relevant risks related to the acheivement of its objectives (not the same as the auditor's risk assessment)

IC component: control activities

select and develop control activities that contribute to the mitigation of risks to the acheivement of objectives. the "guts" of the internal control system (SOD, co-sigining requirements, document trail)

ITGC (IT general controls)

access restrictions (passwords, locks), controls over changes to the environment (authorization, testing of changes)

IT application controls

limit and reasonable tests on inputs, data validity checks upon transfer of data

management assertions

existence/occurence, completeness, accuracy, cutoff, classification, rights and obligations, valuation and allocation, authorization

IC component: information and communication

controls related to org communication support the proper functioning of internal controls, including controls over the quality and relevance of information used w/in communication

IC component: monitoring

management's process to assess the quality of internal control performance over time (controls over controls)

limitations of internal controls

human error, collusion, management override, cost/benefit analysis

low detection risk strategy

complete work at year-end. audit tests for all significant audit assertions using physical examination, review of external documents, confirmation, and reperformance. extensive testing of significant accounts

high detection risk strategy

work at interim and year-end. corroborative audit tests using physical examination, analytical procedures, and substantive tests. limited testing of accounts

deficiency in design

a needed control is either missing or flawed

deficiency in operation

the control is designed well, but is not operating as designed

SOX 404a

management has to report the results from its own tests of the company's internal control over financial reporting, identifying any deficiencies

SOX 404b

auditor draws on management's findings and their own tests, then independently assesses and reports on internal controls (ONLY for accelerated filers)

accelerated filer

>$75mil in market capitalization/public float, have to file within 75 days of year-end

large accelerated filers

>$700mil in market capitalization/public float, have to file within 60 days of year-end

non-accelerated filers

<$75mil in market capitalization/public float, have to file within 90 days of year-end

material weakness

deficiency in ICFR such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis

significant deficiency

deficienct in ICFR that's less severe that a material weakness, yet important enough to merit attention (remote possibility)

deficiency

design or operation of a control doesn't allow employees in the normal course of performing their assigned function to prevent or detect misstatements on a timely basis (the catch-all)

unqualified opinion on ICFR

entity's internal control is designed and operating effectively (no material weaknesses)

advers opinion on ICFR

material weakness is identified

history of SOX 404b

SOX requires internal control audit of all public companies in phases (first, accelerated filers), SEC delays implementation for non-accelerated filers, Dodd-Frank permanently exempts non-accelerated filers. Then, JOBS Act exempts EGCs (Emerging Growth Companies: <1bil in rev, within 5 years of IPO)

AS2

original standard for auditing internal controls, required a bottom-up approach (test every control, very expensive)

AS5

replaced AS2, required a top-down, risk-based approach for auditing internal controls

entity-level controls

pervasive to the internal control system (related to control environment, over managment override, company's risk assessment process)

transaction/account-level controls

pertain to specific classes of transactions, account balances, and disclosures

auditor process for testing controls

1. walkthrough (gain basic understanding of key processes)


2. test of design (is design appropriate for given assertion)


3. test of effectiveness (is control operating as designed)

Type 1 SOC-1

describes org's controls and assesses the design

Type 2 SOC-1

describes org's controls, assesses the design, and provides assurance on the operating effectiveness

cash internal control activities

dual custody of cash at all times, lockbox arrangement, fidelity bonds

Lapping

cash fraud where an employee steals cash received from customer 1, then applies cash received from customer 2 to customer 1's account, then customer 3 to customer 2's account

voucher packet

purchase requisition, purchase order, receiving report, invoice (matched prior to cash disbursement authorization)

audit evidence used to test cash

cash receipts/disbursements journals, bank recs, cancelled checks, bank balance via confirmation, cutoff bank statement

cancelled check

outgoing check that has been cleared by a customer

bank rec

balance per bank + deposits in transit - outstanding cks = balance per books

when checking deposits in transit

care about existence, vouch to cutoff bank stmt

when checking outstand checks

care about completeness, trace cleared cks from cutoff stmt to client's list of OS cks

check kiting

floating of funds between bank accounts to make it appear that more cash is present --> get a schedule of bank-bank transfers

audit risk

probability of issuing an unqualified opinion on materially misstated finc stmts

audit risk model

IR x CR x DR = AR

IR

inherent risk. likelihood that (in the absence of controls) a material misstatement will enter the accounting system

CR

control risk. likelihood that a material misstatement will not be caught by the client's controls

DR

detection risk. likelihood that a material misstatement will not be caught by the auditor's procedures

RMM

risk of material misstatement = IR x CR. risk that material misstatement exists in the finc stmts before the auditor applies their substantive procedures

factors affecting IR

overall: prior problems, overall business risk




account-level: dollar size, liquidity, volume and complexity of transactions, new standards, subjective estimates

assessing CR

test internal control design & effectiveness

factors affecting CR

control environment, existence/lack of effectiveness of control activities, monitoring activities

factors affecting DR

nature, timing, extent of audit procedures, sampling risk, nonsampling risk

sampling risk

risk of choosing an unrepresentative sample

nonsampling risk

risk that auditor may reach inappropriate conclusions based on available evidence (calculation or something is wrong)

nature, timing, and extent with lower DR

nature: more effective tests


timing: year-end


extent: more tests

nature, timing, and extent with higher DR

nature: less effective tests


timing: interim


extent: fewer tests

if DR is low, more or less work?

more

if DR is high, more or less work?

less

if CR is higher

DR lower - more work

if IR is higher

DR lower, more work

if AR is higher

DR higher, less work

PCAOB AS 12

risk-based auditing approach where auditor must understand company, its environment and controls, perform analytical procedures, inquire audit committee, mgmt, and others about RMM.

reasonableness test

auditor compares estimates to recorded balances (required in prelim planning, optional in substantive testing, required in final review)

horixontal analysis

compare year-year changes

vertical analysis

changes are expressed as a "percentage of" base

analytical procedure steps

1. expectation


2. define "significant difference"


3. compare with recorded amounts


4. investigate "significant differences"


5. document each step

audit team discussion (brainstorming)

required, objective: gain understanding of previous experiences with client, how fraud might be perpetrated/concealed, procedures to detect fraud, set tone for engagement

management fraud risk

management intentionally misstates finc stmts

misappropriation of assets

employee intentionally misappropriates funds/property

fraud conditions triangle

incentive/pressure, opportunity, rationalization

communication about misappropriation of assets

at least one level about people involved

communication about management fraud

report to those charged with governence (audit committee)

ethics: imperative

focus on rules

ethics: utilitarianism

focus on consequences

ethics: virtue

action consistent with internal values

basic tenets of ethicval conduct

responsibilities, public interest, integrity, objectivity, due care, scope and nature of service

AICPA code of professional conduct rule 101

defines covered members who can't have financial or managerial relationships in order to protect independence

AICPA code of professional conduct rule 301

confidentiality of client information; CPA can't disclose confidential information without the client's consent

AICPA code of professional conduct rule 302

contingent fees not permitted for attest clients and allowed for non-attest clients in some circumstances