Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
92 Cards in this Set
- Front
- Back
Who has responsibility for internal controls?
|
audit comitee
|
|
COSO
|
Committee on sponsoring activities
|
|
3 things coso focuses on
|
effectivness/efficiency of operations; financial reporting; compliance with laws/regs
|
|
Five components of internal controls per COSO framework
|
Control evironment; entity risk assesment; control activities; information and communication; monitoring activiites
|
|
Control evironment
|
sets the tone at the top of the organization
|
|
Information processing controls: general
|
controls that appy to entirety of companies it area
|
|
information processing controls: application
|
controls that relate to specifc it applications
|
|
Effective of size on internal controls
|
small companies are more likely to catch somehting since there is less going on; managemetn has more hands on responsibility; you can still use controls approach but it is harder
|
|
Limitations of internal controls: ways controls can be beaten
|
override; collusion; human error
|
|
Documentiign understandign of internal controls (4)
|
Flowcharts; narrative description; internal control questionarres; Procedures manual
|
|
What happens if autidotr does not intend to rely on internal controls:
|
set control risk at maximum and use substantive procedure
|
|
As reliabiliyt of controls increases, substantive tests can _______
|
decrease
|
|
As risk and materiality increases, year end testing should ______
|
increase
|
|
If we do testing early we ___ to the end of the year
|
roll it forward
|
|
Greater the risk, ____ the testing; however_____
|
later. It also makes sense to di it early to avoid any surprises
|
|
When to test: allowance for bad debts
|
high risk: do both early and late
|
|
when to test: cash
|
Should be tested later in the year because its fungible; its risky
|
|
When to test: depreciation
|
probably at the the beginnign because its less risky
|
|
Service berearus
|
third party provider; for example: they do payroll, fixed assets, bookeeping
|
|
Service organizaiton control report: type 1 teests
|
looked at controls and describes stystem; no opinion issued
|
|
Service organization type 2 tests
|
can also test controls
|
|
Our responsibiliity relatign to service beraus
|
if type 1 report or bad type 2 report, somebody has to go back in and do testing; If type 2 report the we can accept results of their audit; don’t have to reperform work done by service berueras
|
|
Communication of I/C issues to client (non public compnay): material weakness
|
Reasonable possibiliyt of material mistatement; has to be in writing to management and those charged with goveranance
|
|
Communication of I/C issues to client (non public compnay): significant deficiency
|
less severe than material weakness, but still merits consideration; has to be in writing to management and those charged with governance
|
|
Communication of I/C issues to client (non public company)
|
verbally communicate to management
|
|
Amount that qualifies smaller company as execmpt from external audit of interanl control over financial reporting
|
75 million
|
|
Managemetns responsbility under 404 (4)
|
1.accept responsibility for effectivenss of ICFR; 2. evaluate te effectivess of ICFR; 3:Support the evaluation with suffcient evidence; 4: present a written assesment regarding effectivenss of entitys ICFR as of the end of entitys most recent fiscal year
|
|
Auditors responsiility under 404 and AS5
|
1. must issue report on effectivenss as of end of the year; 2. must be done using an integrated audit approach; 3: must reach level of reasonable assurance
|
|
who is responsible for overal implementation of ICFR
|
Managemetn and board of directors
|
|
Who is responsible for reliability of ICFR
|
CEO and CFO
|
|
Control deficiency: design
|
control is missing or not designed well
|
|
control deficiency: operating
|
designed properly but not executed properly
|
|
3 categories of magnitued
|
material; not material but significant; not material or significatn
|
|
Likliehood and magnitude chart: material weakness
|
material and reasonably possible: report externally, to audit committee, and to management
|
|
Likliehood and magnitude chart: significatn deficiency
|
Not material but significant and reasonably possible: report to audit committee and management
|
|
Likliehood and magnitude chart: control deficiency
|
not material or significant and reasnably possible: report to management
|
|
Managemetns evaluation process for evalluating ICFR (3)
|
1.identify financial reporting risks and related controls; 2. consider which locations to include in the evaluation; 3. evaluate evidence about the operatign effectiveness of ICFR
|
|
Integrated audit
|
audit of ICFR and FS that does 3 things: planning of both are done together; has to be same audit firm; results of 1 are used to help with the other and vice versa
|
|
Steps in audit of ICFR (5)
|
1: planning; 2: idendity controls to test based on a top down risk based approacch; 3: test the design and effectiveness of selected controls; 4: evaluate identified control deficiencies; 5: form an opinion on the effectivness of ICFR
|
|
planning:
|
asses risk/fraud; scaling audit; using work of others
|
|
Top down, risk based approach (4)
|
identify entity level controls; identify signifcant accounts and disclosures and their relevant assertions; understand likely sources of mistatement; select controls to test (only test key controls)
|
|
Timing of testing for genral and application controls
|
must test general every year: test application controls in year 1, but don’t have to tests in future years as long as their has been no changes or problems
|
|
what are control deficiiencies based on
|
if a mistatemetn could occur, not if a mistatement did occur
|
|
Remidiation
|
management fixes the control deficiency in sufficient time so that management and auditors have time to test before end of year; key is not only that controll is fixed but it is tested to make sure it works
|
|
What happens if management refueses to give written representations
|
we have to issue a disclaimer of opinon - a scope of the audit issue
|
|
Why type of report to give if a control or significant deficiency
|
modificaiton based on type of defficiency: unqualified opinion
|
|
what type of report ot give if a material weakness
|
modification based on type of defficiency: adverse opinion
|
|
what type of report to give if a minor effect
|
modification based on scope limitation: unqualified
|
|
what type of report to give if more than minor effect
|
modification based on scope limitation: disclaim opinion or withdraw
|
|
can you have an adverse opinon on controls, but an unqualified opinon of financial statement:
|
sure, as long as you are abble to audit around weakness
|
|
Professionalism
|
acting in a manner consistent of what is expected from a CPA, lawyer, etc
|
|
Sources for private company audits
|
AICPA; ISB
|
|
sources for public company audits
|
PCAOB; ISB; SEC
|
|
Principles of professional conduct
|
Ideal attitudes and behaviors; general and not enforceable
|
|
Rules of conduct
|
minimall acceptable standarsds; specifcally enforcabel
|
|
Interpretations and rulings
|
detailed interpreatations and awers to questions regarding rules of conduct; not specifically enforceable, but departures must be justified
|
|
Covered Member
|
a member that is on the engagement team; in a postion to influce the endgagement; a parter who rprives more than 10 hours of nonattest servicese; a partern in the office in which the lead engagement partner practices; the firm
|
|
Indirect fianncial interests
|
may be a problem if covered member owns more than 5% of mutual fund; If less than 5% its ok
|
|
Are blind trusts considered direct financial interst
|
yes
|
|
4 circumsatncese in which loans arent considered direct financial interest
|
car loan/lease (collateralized by vehicle; CSV of insruance policly (collateralized by policy); cash deposit at lending institution (collateralized by deposit account); credit card (10,000) kept current at month end
|
|
are mortages allowed?
|
no
|
|
Rules: client emplyee moves to audit firm that does audit
|
cannon be on engagement team until the engagement doesn’t include any period of former employer; basically cant audit own work
|
|
Rules: CPA moves to client (non public company, key position)
|
must completely dissasocited self with firm
|
|
Rules: CPA moves to client (public company, key position)
|
must wait one year cooling off period; you can resign form firm and take year off, or tell firm your plans and ask to get taken off the engagement
|
|
rules: not going to key postion
|
just dissociate self
|
|
What is key position
|
any position where you have an impact on financial statement or oversight role
|
|
rules: considering leave
|
have to telll firm if your talking to client about a job
|
|
Non audit service that impair independece
|
never be in position to audit own work; never serve as advoacge for management; acutarial, lega, expert, management, internal audit
|
|
Independence rules for taxes
|
can do tax returns for audit clients; cannot do it for key indivduals or do tax shelter consulting
|
|
5 year rule
|
5 years on and 5 years off for partners
|
|
communication with audit committee
|
meet at least once every quarter; discuss all critical accountign policies
|
|
Rule 301
|
limit sicrumstances where you can disclose client info without client persmission: supoena or court order; comply with disciplanry; disclosure for GAAP; buying or sellign acccoutning practice
|
|
elevator rule
|
don’t talk about info in public places
|
|
same firm rule
|
If its not your client your not a covered member; you cant talkk about client with someone in you rfirm if you don’t have same client
|
|
quality control review non public company
|
once every 3 and ahalf yers
|
|
quality contorl review public companies:
|
if your firm does over 100 audits: once a year; if your firm does less than 100 audits: once every 3 years
|
|
2 categories of law auditors can be held liable under
|
common and staturory
|
|
elements of negligence
|
dutry to conform; breach; direct connection; client had to suffer damages
|
|
libaility to clients
|
breach of contract and negligence
|
|
liability to 3rd partys (typically investors)
|
Negligence; musst 1st prove standing
|
|
privity
|
no liability unless there is a contract
|
|
near privity
|
contactj with auditor
|
|
Forseen 3rd party
|
followed by most states; peoples whos reliance is forseen; shareholders don’t qualify
|
|
reasonably forseen 3rd party
|
never followed
|
|
Fraud/ gross negligence - must prove 5 things
|
false representation; accoutnant knew it was false; knew thrid party would rely on it; 3rd party relied on it; 3rd party did relie on it
|
|
Joint and several
|
whoever is more at fault pays full damages
|
|
SEC act of 1933
|
realte to filing of new secrities; must prove they suffered a loss by investement; financial staemetns contain an error
|
|
SEC act of 1934
|
regulagees ongoing reporting of already registerred securities; client/firm can be held liabilie for making false staetmetns; can be held laiabile if material erro and plaintiff lied and damages based on lie and sceienter was present
|
|
Private securities litigation reform act of 1995
|
proportionate liabilityy; prohibit phising expeditions
|
|
securitieis litigation unifrom statnadars act of 1998
|
cannon make claims in federal court that belong in stae court
|
|
sox act 404
|
CEO, CFO, and auditors must annualy sign off on ICFR
|
|
RICo act
|
can be fined triple damages
|