Exam 2

audit documentation facets

audit documentation facets

• sufficient audit documentation

• defensible audit documentation

sufficient audit documentation

• experienced auditor can pickup workpapers and understand/ reperform (should be no questions about how you did it or where the info came from)

• indicated who prepared, reviewed, and signed-off

• source documents should tie to the face of the financials (no ghost ticking)

ghost ticking

auditor says they tied a transaction out to an invoice but they really didn’t (fraudulent and unethical)

defensible audit documentation

• alerts supervisors to high-risk areas

• litigation protection: subpoena is possible

• PCAOB Auditing Standard #3: “not documented, not done”

types of services/ attestation

• examination

• review

• agreed-upon procedures

• compliance

• operational

• ESG

examination as a type of attestation

examination (non-financial information) or audit (financials)

• high assurance- “reasonable assurance”

• risk of material misstatement (ROMM) is low

• “in our opinion…”

• all procedures that are available

review as a type of attestation

• moderate assurance (i.e., less in scope than exam/ audit)

• ROMM: moderate

• “we are not aware…”

• mainly analytical procedures

• Would commonly see M&A within a review procedure bcs when merging or acquiring you might want to have one of your own auditors go in and check to make sure everything is okay

agreed-upon procedures as a type of attestation

• low assurance

• ROMM: varies

• summary of outcome

• agreed upon procedures

compliance as a type of attestation

• IRS audits for tax compliance

• regulations (ex. EPA)

• safety laws (ex. FDA)

• loan covenants for bank debt

operations audits as a type of attestation

• for effectiveness and efficiency of operations, processes, and benchmarks

• generally carried out by internal auditors

ESG reporting as a type of attestation

Environmental, social, and corporate governance reporting

• generally limited assurance for a company’s reports

what type(s) of attestation don’t you need to be independent for?

operational audits- it’s actually better if you’re not because it's usually about improving a process

audit risk (AR)

the risk that the auditor may unknowingly fail to appropriately modify the opinion on F/Ss that are materially misstated- risk that the auditor issues the wrong opinion

• want this risk to be as low as possible

risk of material misstatement (RMM)

• not directly influenced by auditor

• both component risks are assessed/ evaluated by the auditors

  • client risks

• risk that f/ss are materially misstated

factors that determines what level of audit risk is acceptable for a given client

• distribution of ownership

• business risk to audit firm

• client size

• litigation environment

audit risk model (ARM)

AR= RMM x DR

detection risk (DR)

• risk that auditor fails to detect a material misstatement

  • residual risk

• directly influenced by the auditor

• auditors reduce DR by increasing the quantity and quality of their testing

• auditors control AR through DR

audit risk comprises the risk that:

• the F/Ss are materially misstated (RMM); and

• the auditor will not detect such misstatements (DR)

RMM formula

IR x CR

inherent risk (IR)

• susceptibility of an assertion to material misstatement aka the risk that an account is more likely to have numbers wrong

• assumes no related internal controls

• How risky is this company if they don’t have internal controls

• How risky are they– how risky are they as a company, how risky is their management team themSELVES not just the industry (not a credit card company, but more like Tesla because we know their CEO is a nut)

• important factors:

  • client’s business

  • management’s integrity

  • client competence

  • rush to produce F/Ss

  • pressure to hit key metrics

  • number and nature of related parties

  • routineness of transactions

control risk (CR)

• risk that internal control won’t prevent or detect and correct a material misstatement

• assessment based on understanding of client and testing of internal control

• important factors

  • control environment (tone at the top)

  • board of directors and audit committee

  • internal audit

  • effectiveness of accounting system

  • strength of internal control system

an auditor assesses CR as low when:

internal controls are good, the auditor plans to rely on the controls (design and implementation of control appear to be operating effectively)

• auditor will need to test controls to support low CR (to prove that they are working effectively and they can sufficiently rely on them)

• RMM= IR x CR

relationship between IR and need for evidence

direct, the higher the IR, the more evidence required

relationship between CR and need for substantive evidence

direct, the higher the CR, the more substantive evidence needed

relationship between AR and need for evidence

inverse, the higher the AR, the less audit evidence necessary

• can this about this in a tolerance way how he described it “more tolerance for doing bad (more audit risk) so we need less evidence”

relationship between DR and need for evidence

inverse, the lower the DR, the more evidence required

• low DR means we need higher quality testing (more tests of details) because we have to PROVE why we have low DR

• high DR means tests of controls and analytical evidence sufficient

relationship of RMM and DR

inverse, the higher the RMM, the lower the DR

• (high rmm, low DR) more assurance required from substantive testing (DR is lower the more testing we do)

• we cannot control RMM as the auditor, but we can control our testing, so if there is a high RMM, then we have to do MORE testing which would mean there is a lower DR.

what is the ARM used for

determining the NET of audit testing

business risk auditing

low DR is needed for accounts impacted by processes with high residual risk

the ultimate goal

achieved audit risk ≤ acceptable audit risk

typical size of AR associated with size of company

lower AR bigger company, higher AR with smaller company

fundamental to resource allocation:

perform more tests related to aspects of the client presenting the highest risk

knowledge of client risks

assess how clients react or fail to react to rapidly changing business risks

• profitability, liquidity, marketability

• employee morale & retention, stakeholder comfort

definition of internal control

a control is a process that “comprises those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives”

objectives of internal controls

• to improve the effectiveness of decision making and the efficiency of business processes

• to increase the reliability of information

• to comply with laws, regulations, and contractual obligations

internal controls are a(n) _____ process

ongoing (annual, quarterly, monthly, weekly, daily, more than daily)

who’s responsibility are internal controls?

management’s

how do internal control affect risk

not effective in eliminating all risks but reduces its potential

how do internal controls affect the organization

increases their ability to achieve its objectives

internal control requirements for public companies

AS 2201 requires audits to include an opinion on F/Ss and internal control over financial reporting (ICFR) (based on SOX 404)— this is essentially just saying that they have to give an integrated audit

internal control requirements for private companies

GAAS requires auditors to obtain an understanding of the company’s controls but does not require testing or an opinion— just a F/S opinion essentially

reliance on internal controls means what kind of testing

indirect, maximum reliance— lots of control testing, less substantive testing

• indirectly getting comfort if they have good controls, doesn’t directly tell us that their information is correct though

reliance on substantive is what kind of testing

direct, minimum reliance— no control testing, lots of substantive testing

• automated control push you further towards minimum reliance because you can test for way more, so a lot more substantive testing occurs

maximum internal control reliance

• digital audit

• interim testing

minimum internal control reliance

• audit effort devoted to evaluating the output of the internal control structure (i.e. substantive)

• not possible with the controls testing still required for ICFR opinion

characteristics of good internal controls

• separation of duties (ex. operations, authorizationin, custody, recordkeeping)

• proper authorization

• adequate documents and records

• physical control over assets and records

• independent checks on performance

internal controls limitations

• failure due to human error

  • do not understand or properly follow instructions

  • judgment errors

  • fatigue

• collusion could allow employees to circumvent segregation of duties

• management override

• overtime, the may be a breakdown or deterioration in compliance

what does ICFR stand for

internal controls over financial reporting

ICFR

controls that reduce the risk of errors in the financial reporting process:

• accurately record routine transactions (ex. sales transactions)

• conformity with GAAP

• prevent fraud

• serve as IT general control (ITGC)

• facilitate estimation process for non-routine transactions

• facilitate period-end close and preparation of F/Ss

top-down approach for ICFR

1. test and evaluate design

2. test and evaluate operating effectiveness

ICFR opinion (unqualified or adverse) based on control framework (i.e. COSO)

COSO framework components

1. control environment

2. risk assessment

3. information and communication system

4. control activities

5. monitoring

control environment

the foundation of the COSO framework, an organization’s integrity, general competence, and ethics. attitudes and incentives (i.e. tone at the top)

entity level controls (what are they, what do they do, what sections in COSO, and examples)

controls located at the top of an organization

• mitigate strategic risks to the org and promote effectiveness of decision making and business activities

• COSO sections: control environment or monitoring

• examples:

  • audit committee

  • fraud controls

  • period-end financial reporting process controls

  • code of conduct, code of ethics

management level control examples

• top-level reviews

• performance indicators (i.e. KPIs) and benchmarking

• independent evaluations

example of a top-level review

senior management reviews the results of operations against forecasts and budgets and follow up on potential problems

example of a performance indicator (i.e. KPIs)/ benchmarking

potential inventory valuation problems are arising from competition or new entrants may be indicated by looking at the rate at which inventory is being sold, disaggregated by product line and geographic region

example of an independent evaluation

unfavorable budget variances followed up on when brought to the attention of someone who is independent of the process creating the variances

limitations of entity-level controls

• failure to link to organizational objectives

• no accountability

• communication breakdowns

• top management circumvention/override

process level control examples

• process performance reviews

• processing controls

• application controls

• physical controls

• segregation of duties

three categories of controls

• preventive

• detective

• corrective

preventive controls

controls that are put in place to avoid material misstatements

ex. segregation of duties, approval

detective controls

controls that are put in place to discover material misstatements

ex. reconciliations, reviews, inventory counts

corrective controls

controls put in place to respond to material misstatements that were discovered by detective controls

ex. backups of master file, corrective JEs, updating password access after firings

control types

• complementary

• redundant

• compensating

complementary control

controls that function together

• detective and corrective controls for example

redundant control

controls that cover the same F/S assertion or control objective

• lock and security camera for example

compensating control

controls that can be relied upon to reduce the risk that an existing material weakness results in a material misstatement

• if one redundant control fails, the other becomes a compensating control, say the lock fails

manual controls

do not use information technology

• ex. bank reconciliation, budget reviews, etc.

automated controls

system-based controls that are programmed procedures

• ex. system report when inventory levels fluctuate

manual controls with an automated component

manual controls that rely on a report from the system

• ex. supervisor signs-off on inventory report

types of error and fraud for automated controls

• frauds can be built into design and difficult to detect

• errors might not surface for a lagged period

• unauthorized access to information a significant risk

threat of management override for automated controls

those who design or program can have a significant impact on risk of fraud if they are able to circumvent controls

additional risks for automated controls

• fewer people with expertise to supervise/ evaluate

• power failure

• concentration of data- lower probability of loss but higher magnitude of loss if problem occurs

• hacking by external parties

• viruses

ITGCs

IT general control: controls that are indirect to the actual system application (“wall” built around the application)

• development of systems- designed, tested, and placed in operations

• changes to systems- modified once put in place

• operations- contingency planning

• access to programs and data- security issues

automated controls

aka application controls: controls built into place with the front end of an application (often prepackaged and documented)

• input controls

• process controls

• output controls

input controls

the key objective associated with the front end of an application

process controls

what are the key objective associated with the actual transaction processing and master file maintenance?

output controls

what are the key objectives associated with the results of transactions and systems performance?

implications of residual risk

• influences expectations about account balances

• suggests potential financial misstatements

• raises concerns about viability

• indicates potential threats to the control environment

• highlights potential comments for client

auditor communication requirements

• management- control deficiencies

• audit committee- material weaknesses and significant deficiencies

• board of directors- if negative 404 opinion