ACC 550 Exam 2

What is the most costly type of fraud?

Financial Reporting Fraud

What is the distinguishing factor between fraud and error?

whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional.

Are auditors responsible for the detection of fraud?

An auditor conducting an audit is responsible for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error.

Majority of significant financial statement fraud involves

Senior Management

Responses to address risk of management override

1) Review accounting estimates for biases

2) Evaluate business rationale for significant unusual transactions

3) Test appropriateness of journal entries and other adjustments

Why does AU-C 240 focus on testing journal entries?

Even if specific risks of material misstatement due to fraud are not identified by the auditor, a possibility exists that management override of controls could occur.

Three classifications of journal entries

1) Standard, recurring entries

2) Non-standard entries

3) "Top-side" entries

What types of journal entries should you select for testing?

1) Recorded at end of period

2) Made at unusual times

3) Round numbers or consistent ending numbers

4) Unusual combinations of debits and credits

What should be tested when assessing internal control over journal entries?

Segregation of Duties, Authorization, Oversight, and Regular Testing

What are the three views for materiality?

User, Auditor, and Preparer

What is materiality?

The omission or misstatement of an item in a financial report is material if, in the light of surrounding circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item

When do materiality decisions begin and end?

Planning to sign off

Factors used to determine materiality

1) Use % of a benchmark to establish materiality for F/S taken as a whole (quantitative)

2) Adjust for qualitative considerations, including fraud

What is Performance Materiality?

Maximum error in population auditor is willing to accept, applied to class of transactions, account balances, and disclosures, and it is always less than planning materiality.

Documentation requirements for materiality

1) Planning Materiality

2) Materiality for specific transactions, balances

3) Performance materiality

Qualitative factors for materiality

1) Masks a change in earnings or other trends

2) Hides a failure to meet analysts' consensus expectations

3) Changes a loss into income or vice versa

4) Affects the registrant's compliance with loan covenants or other contractual requirements

5) Effect of increasing management's compensation

6) Concealment of an unlawful transaction

Auditor Objectives relating to laws and regulations

Obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the F/S that are determined by the provisions of those laws and regulations generally recognized to have a direct effect on their determination. Perform specified audit procedures to identify instances of noncompliance that may have a material effect on the F/S. and respond appropriately.

Two categories of laws and regualtions

1) Direct effect on F/S

2) Do not have direct effect on F/S

Examples of Direct Effect on F/S

1) Tax laws affecting accruals

2) Revenue recognition under gov't contracts

3) Pension laws affecting recognition

4) Foreign Corrupt Practices Act

What are the components/requirements of the FCPA?

anti-bribery, maintain adequate books and records, and adequate internal controls over financial reporting

Examples Do Not Have Direct Effect on F/S

1) Operating license

2) Environmental regulations

3) Employment regulations

4) Occupational safety regulations

5) Regulatory solvency

What is the auditor's responsibility to detect noncompliance?

The auditor should obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations generally recognized to have a direct effect on the their determination

How should the auditor perform audit procedures to identify instances of noncompliance?

(a) inquire of management about compliance with laws and regulations

(b) inspect correspondence with relevant licensing or regulatory authorities.

What is noncompliance?

Acts of omissions or commission by the entity, either intentional or unintentional which are contrary to the prevailing laws or regulations. Does not include personal misconduct by those charged with governance, management, or employees of the entity.

Dealing with noncompliance, what should the auditor do to gain an understanding?

(a) the legal and regulatory framework applicable to the entity and the industry or sector in which the entity operates; and

(b) how the entity is complying with that framework

Indications of noncompliance

1) Investigation by governmental agency

2) Violations cited by regulators

3) Unusually large payments made in cash

4) Unexplained payments of gov't officials

5) Improperly recorded transactions

What steps should an auditor take when noncompliance is identified or suspected?

1) Obtain understanding of the nature of the act and circumstances in which it has occurred

2) Obtain further information to evaluate the possible effect on the financial statements

3) Discuss matter with management (at level above those involved)

4) Communicate with those charged with governance

What are the possible next steps when evaluating implications of noncompliance?

Question overall fair presentation of F/S, modified opinion, or withdrawal from engagement.

What documentation is needed for noncompliance?

1) Description of identified or suspected noncompliance

2) Results of discussion with management & those charged with governance

What does an integrated audit reports on?

1) Report on financial statements

2) Report on assessment of internal control over financial reporting

What is covered under SOX 404a?

1) Management establish and maintain adequate internal controls and procedures for financial reporting

2) Management issue annual report containing assessment of effectiveness of ICFR

What is covered under SOX 404b?

Auditor to attest to and report on assessment made by management

What is management's responsibility under SOX 404a?

1) Accept responsibility for the effectiveness of internal control over financial reporting

2) Evaluate the effectiveness of internal control over financial reporting using suitable control criteria

3) Support its evaluation of ICFR with sufficient evidence, including documentation

4) Present a written assessment of the effectiveness of internal control over financial reporting as of the end of the most recent fiscal year (Item 9A of 10K)

What are key provisions of the SEC Interpretative Guidance for management's responsibility?

1) Evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the F/S would not be prevented or detected in a timely manner

2) Top-down, risk-based approach, including role of entity-level controls

3) Management's evaluation of evidence about the operation of its controls should be based on its assessment of risk

4) Make risk-based judgments about the evidence needed

What does the SEC Interpretative Guidance say about the evaluation process?

Identify financial reporting risks and controls, evaluate evidence of the operating effectiveness of ICFR, and use multiple location considerations

What are the auditor's responsibilities for ICFR?

1) Express an opinion on the effectiveness of the company's ICFR

2) Plan and perform the audit to obtain competent evidence to obtain reasonable assurance about whether a material weakness exists

True or False: A material weakness in ICFR does not exist if the financial statements are not materially misstated

False

What are entity level controls?

ELCs are necessary for an effective system of ICFR and may affect the other controls management deems necessary to adequately address the financial reporting risks for a financial reporting element

What are the types of ELCs?

1) Indirect

2) Monitoring

3) Direct

What are indirect ELCs?

Important, but has an indirect effect, on the likelihood that a misstatement will prevented or detected on a timely basis

What are monitoring ELCs?

ELCs that are designed to identify possible breakdowns in lower-level controls but do not by themselves adequately address financial-reporting risks

What are direct ELCs?

Designed to operate at level of precision that would adequately prevent or detect material misstatement on a timely basis

What examples of ELCs?

1) Control environment

2) Management override

3) Risk assessment process

4) Centralized processes and controls

5) Monitor results of operations

6) Monitor other controls

7) Period-end financial reporting process

8) Policies over significant business control & risk management practices

Why did AS5 focus on entity level controls?

To tailor the audit by identifying and testing the most important controls and, when appropriate, reduce the testing of controls at the process level.

What is the Test of Controls formula?

Testing and Evaluating...

+Design and Implementation

+Operating Effectiveness

=Test of Controls

What are the appropriate procedures for Testing & Evaluating Design and Implementation?

1) Inquiries (not sufficient by itself)

2) Observation

3) Walkthroughs - reperformance

4) Inspection of relevant documentation

What does Testing & Evaluating Design focus on?

IC over financial reporting is effectively designed when the controls complied with would be expected to prevent or detect errors or fraud

What does Testing & Evaluating Operating Effectiveness focus on?

Whether a control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications

What are appropriate procedures for Testing & Evaluating Operating Effectiveness?

1) Inquiries (not sufficient by itself)

2) Inspection of relevant documentation

3) Observation

4) Reperformance

What are the reporting provisions of AS5?

Evaluate severity of each deficiency individually or in the aggregate and consider compensating controls, form opinion on effectiveness of ICFR, and consider impact of a material weakness on a F/S audit.

What is a control deficiency?

Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis

What is a significant deficiency?

A control deficiency that is less severe that a material weakness, yet important enough to merit attention by those overseeing financial reporting

What is a material weakness?

A deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement of the F/S will not be prevented or detected on a timely basis.

What determines the severity of a deficiency in ICFR?

Does not depend on whether a misstatement actually has occurred, but rather on whether there is a reasonable possibility that the company's ICFR will fail to prevent or detect a misstatement on a timely basis

What are the key considerations in determining the severity of a deficiency?

Reasonable possibility that the company's ICFR will fail to prevent or detect a misstatement on a timely basis, and magnitude of possible misstatement.

What are indicators of material weakness?

1) Identification of a fraud by senior management

2) Restatement of previously issued F/S to reflect correction of a material misstatement

3) Identification by the auditor of a material misstatement that would not have been detected by the company's ICFR

4) Ineffective oversight over external financial reporting and internal controls by the audit committee

How does IT impact inherent risk?

1) Complexity

2) Possible malfunctions

3) Assumption that everything is correct

4) "Out of sight, out of mind"

5) Garbage in, garbage out

6) Whatever it does, it does it consistently

Why are IT specialists used during an audit?

To determine the effect of IT on the audit, to understand the IT controls, or to design and perform tests on IT controls or substantive procedures is a significant aspect of many audit engagements

What factors do you need to consider in determining the need for IT professional?

1) Complexity of systems and IT controls

2) Significant changes made to systems

3) Data shared among systems

4) Participation in electronic commerce

5) Use of emerging technologies

6) Audit evidence available only in electronic form

What are possible areas for IT assistance?

1) Understanding how data and transactions are initiated, authorized, recorded, processed, reported

2) How IT controls are designed

3) Inspecting systems documentation

4) Observing operation of IT controls

5) Performing tests of IT controls

6) Performing substantive audit tests

7) Evaluation of results

8) Communication

What is the effect of IT on internal controls?

1) May effect many or all of the 5 components of internal control

2) May be part of a discrete system or a complex integrated system

3) Affect fundamental manner transactions are initiated, authorized, recorded, processed, and reported.

4) Often a mix of manual and automated controls

What is the impact of IT on internal controls?

1) Unauthorized assess/changes to data

2) Unauthorized changes to systems and programs

3) Failure to make necessary changes

4) Reliance on systems that process data incorrectly

5) Inappropriate manual intervention

6) Potential loss of data

7) IT personnel access beyond assigned duties

What are the two types of controls relevant to IT-related risks?

1) Application Controls

2) IT General Controls

What are the two types of Application controls? Give an example of each

Automated controls (Ex: credit check) and IT-dependent controls (Ex: monthly exception reports).

What are IT General Controls?

1) Access to programs and data

2) Program changes to operating systems and applications

3) Program development for new, acquired, or developed operating systems and applications

4) Computer operations

5) Obtain evidence throughout the period under audit

Why is the testing of ITGC's important?

1) Impact on IT controls

2) Impact on information provided from use of technology

3) Watch inadvertent reliance on information provided by technology

Where is IT used to prepare financial statements?

1) Enter transactions in G/L or subsidiary ledgers

2) Initiate, authorize, record, and process journal entries

3) Initiate and record recurring and nonrecurring journal entries

4) Combine and consolidate G/L data

5) Prepare financial statements

What is the purpose of CAAT's? (computer assisted audit techniques)

IDEA is an example of a CAAT, use predetermined audit procedures, can save you a lot of time with large amounts of data, and you spend your time looking at exceptions

What are possible applications for CAAT's?

1) Tests of ITGC's

2) Tests of application controls

3) Tests of details of transactions and balances

4) Extracting data for audit testing

5) Reperforming calculations performed by entity's accounting system

What are the specific concerns on the use of spreadsheets?

Evaluate use and complexity of spreadsheets, determine level of controls (change control, version control, access control, and input control), and backups.

What is a service organization?

An organization or segment of an organization that provides services to user entities that are relevant to those user entities' internal control over financial reporting

What is a service auditor?

Practitioner who reports on controls at a service organization

What is a user entity?

Entity that uses a service organization and whose F/S are being audited

What is a user auditor?

Auditor who audits and reports on the F/S of a user entity

What is the responsibility of auditor when a client uses a service organization?

If the user auditor is unable to obtain sufficient understanding from the user entity, the user auditor should obtain the understanding from 1 or more of the following:

1) Obtain Type 1 or 2 report

2) Contacting the service organization

3) Visiting the service organization & performing procedures

4) Use another auditor to perform procedures

What are the considerations in using a service auditor's report?

Professional reputation of the service auditor, adequacy of standards reports issued (Type 1 or Type 2)

What is a Type 1 report

Report on service organization and suitability of design of controls.

What is a Type 2 report

Report on service organization and suitability of design and operating effectiveness of controls.

What should you do if you are using service auditor report as audit evidence?

Evaluate whether "as of" or "for the period" date is appropriate, sufficiency of evidence provided for understanding controls, determine whether complementary user entity controls have been implemented, and inspect type 2 report when determining operating effectiveness.

What are analytical procedures?

1) Evaluations of financial information through analysis of plausible relationships among both financial and nonfinancial data."

2) Analytical procedures consist of evaluations of financial information made by a study of plausible relationships among both financial and nonfinancial data.

Analytical procedures also encompass the investigation of significant differences from expected amounts.

What type of information can you use for analytical procedures?

1) Information for comparable prior periods

2) Anticipated results

3) Relationships among elements of F/S

4) Industry information

5) Relationship between financial and nonfinancial information

When do auditors use analytical procedures?

1) Risk assessment to identify RMM (required here)

2) Substantive test to obtain evidence about an assertion

3) Overall review of F/S in final review stage (required here)

What is a risk assessment analytical procedures?

Purpose: Assist in planning the audit procedures

Focus:

(a) Enhancing auditor's understanding,

(b) identify areas with possible specific risks

Data aggregation level: High

Type of data: Primarily financial

Timing and extent: Varies, usually @ planning

Example: Inventory turns by item prior to inventory price test

What is the final review analytical procedures?

Purpose: Assist in assessing conclusions reached and overall F/S presentation

Focus:

(a) adequacy of evidence gathered,

(b) corroborate audit evidence obtained

Data aggregation level: High

Type of data: Primarily financial

Timing and extent: At end of engagement; may indicate additional evidence needed

Example: Read F/S, footnotes, MD&A

What are substantive analytical procedures?

Purpose: Obtain evidence to support assertion

Focus: (a) Identification of misstatements or omissions, (b) consider level of assurance desired

Data aggregation level: Disaggregated

Type of data: All types

Timing and extent: Often done in concert with substantive tests of transactions or tests of details of balances

Example: Apply historical average of allowance for doubtful accounts to gross A/R and compare to current allowance balance, also compare to sales growth

What are the requirements for analytical procedures?

1) Determine suitability for assertions (not helpful for testing existence or rights and obligations)

2) Evaluate reliability of data

3) Develop expectation of recorded amounts - sufficiently precise to identify misstatement

4) Determine difference between expected amount and recorded amount

What the advantages of analytical procedures?

1) Cost effective

2) Focus audit effort

3) Forest for the trees

What are the disadvantages of analytical procedures?

1) Ability to establish auditor expectation

2) Lack of precision

3) Failure to detect unusual relationship

4) Failure to follow up on exceptions

What do effectiveness and efficiency of audit procedures depend on?

1) Nature of assertion (Misstatement not be apparent from examination of details)

2) Plausibility & predictability (Known predictable relationships, Income statement accounts more predictable)

3) Availability & reliability of data (I/C, independent source, subject to testing)

4) Precision of the expectation (To obtain desired level of assurance (performance materiality) and Greater detail increases opportunity to detect errors)

What should you do if analytical procedures identify inconsistent fluctuations?

1) Reconsider methods and factors, if warranted

2) Inquire of management and corroborate response

3) Perform additional substantive audit procedures

What are the steps in the systematic process to conducting analytical procedures?

1) Identify assertion subject to analysis

2) Identify key facts to analysis

3) Identify relevant performance measures

4) Obtain data and perform computations

5) Structure analysis

6) Perform analysis

7) Investigate & evaluate differences

8) Conclude or expand tests

What is audit sampling?

Selection and evaluation of < 100% of population to conclude about population

What is sampling risk?

Conclusion about sample different than entire population

What is nonsampling risk?

Reach erroneous conclusion not related to sampling risk

What is population?

Entire data set to draw conclusion

What is sampling unit?

Individual items comprising the population

What is stratification?

Dividing population into subpopulations

What is statistical sampling?

Approach to sampling that consists of random selection and use of appropriate statistical technique to evaluate results, including sampling risk

What is nonstatistical sample?

1) Not statistical sampling

2) Lacks two characteristics (random selection and use of appropriate statistical technique to evaluate results)

What is tolerable misstatement?

Application of performance materiality to sampling