ACC 402 Final Review V2

What is the definition of auditing?

Accumulation and evaluation of evidence about information to determine and report the degree of correspondence between information and established criteria.

What are the 5 required elements of auditing?

(1) Information, (2) Established criteria (GAAP), (3) Sufficient appropriate evidence, (4) Competent independent auditor, (5) Auditor's report/opinion.

What is information risk?

The risk that users rely on misstated financial information when making decisions.

What are the 4 causes of information risk?

(1) Management bias/motives, (2) Remoteness of users, (3) Voluminous data, (4) Complex transactions.

What are the 3 ways to reduce information risk?

(1) User verifies information themselves, (2) Share risk with management, (3) Independent audit — this is the best answer on exams.

What is the difference between accounting and auditing?

Accounting produces financial statements and is a management function. Auditing evaluates statements and produces the auditor's report — the auditor's responsibility.

What is a financial statement audit?

Evaluates whether financial statements are fairly presented under an applicable framework (e.g., GAAP).

What is a compliance audit?

Determines whether the entity is following specific rules, contracts, or regulations.

What is an operational audit?

Evaluates the efficiency and effectiveness of an organization's operations.

What are the 4 types of auditors?

(1) Independent auditors (CPA), (2) Internal auditors, (3) Government auditors, (4) IRS auditors.

What is the difference between assurance and nonassurance services?

Assurance services improve the quality of information (e.g., audits, reviews, attestation). Nonassurance services are recommendations to management only (e.g., consulting, tax planning) — no assurance provided.

What are the 3 types of attestation services and their assurance levels?

(1) Audit — reasonable assurance, (2) ICFR audit — reasonable assurance, (3) Review — moderate/limited/negative assurance.

What are the 4 main audit regulators?

(1) SEC — oversees securities markets, delegates to PCAOB, (2) PCAOB — public company audit standards, (3) ASB — issues SAS for nonpublic audits, (4) IAASB — issues ISAs for international audits.

Which standards apply to public vs. private company audits?

Public companies: PCAOB (AS — Auditing Standards). Private companies: ASB (SAS — Statements on Auditing Standards). International: IAASB (ISA — International Standards on Auditing).

What are the 6 quality control elements? (Mnemonic: LRECHM)

(1) Leadership, (2) Relevant ethical requirements, (3) Client acceptance and continuance, (4) Human resources, (5) Engagement performance, (6) Monitoring.

What quality control elements are NOT tested?

Risk assessment and information/communication — these are additions from the quality management standard and are not tested.

What are the 3 general standards of auditing?

(1) Adequate technical training and proficiency, (2) Independence in mental attitude, (3) Due professional care.

What are the 3 standards of fieldwork?

(1) Proper planning and supervision, (2) Understand the entity's internal control, (3) Sufficient appropriate evidence.

What are the 4 reporting standards?

(1) Conformity with GAAP, (2) Consistency, (3) Adequate disclosures, (4) Expression of an opinion or disclaimer.

What are the 3 conditions required for a standard unmodified opinion?

(1) No material GAAP departures, (2) No material scope limitations, (3) Auditor is independent.

What is the full order of required AICPA audit report sections?

(1) Opinion, (2) Basis for Opinion, (3) Management Responsibilities, (4) Auditor Responsibilities, (5) Signature, (6) Address, (7) Date.

What is an unmodified opinion?

A clean opinion — financial statements are fairly presented in all material respects in conformity with GAAP.

What is a qualified opinion?

"Except for" one specific issue, the statements are fairly presented. Issued when a problem is material but NOT pervasive.

What is the exact wording trigger for a qualified opinion?

"Except for…"

What is an adverse opinion?

The financial statements do NOT present fairly. Issued when a GAAP departure is so material and pervasive it affects the statements as a whole.

What is the exact wording trigger for an adverse opinion?

"Do not present fairly…"

What is a disclaimer of opinion?

The auditor issues NO opinion at all. Exact wording: "We do not express an opinion…"

What causes a disclaimer of opinion?

(1) A scope limitation so pervasive the auditor can't form any conclusion, OR (2) Lack of independence — independence problems ALWAYS result in a disclaimer automatically.

GAAP departure + material but not pervasive → what opinion?

Qualified ("Except for…").

GAAP departure + material AND pervasive → what opinion?

Adverse ("Do not present fairly…").

Scope limitation + material but not pervasive → what opinion?

Qualified.

Scope limitation + material AND pervasive → what opinion?

Disclaimer ("We do not express an opinion…").

Independence problem → what opinion always?

Disclaimer — automatically. No exceptions.

Can a scope limitation ever lead to an adverse opinion?

No. Scope → Qualified or Disclaimer only. GAAP → Qualified or Adverse only. Never cross them.

What are the 5 situations that result in a modified unmodified report?

(1) Change in accounting principle, (2) Going concern doubt, (3) Emphasis of matter, (4) Shared responsibility, (5) Justified GAAP departure.

What is a modified unmodified report?

A report that still carries an unmodified (clean) opinion but includes modified/additional explanatory language.

What is the PCAOB term for a clean opinion vs. AICPA?

PCAOB uses "Unqualified." AICPA uses "Unmodified." Different words — same concept.

What are Critical Audit Matters (CAMs)?

Matters communicated to the audit committee that (1) relate to material accounts/disclosures AND (2) involve especially challenging, subjective, or complex auditor judgment. Required under PCAOB for public company audits.

What are Key Audit Matters (KAMs)?

The AICPA/international equivalent of CAMs. Optional under U.S. GAAS — not required.

What additional reporting is required for PCAOB accelerated filers?

ICFR (Internal Control over Financial Reporting) report is required in addition to the financial statement opinion.

How is reporting modified when IFRS is used?

The GAAP wording in the report is modified to reference IFRS instead. If dual standards apply, both are mentioned.

What are the 3 levels of the AICPA Code of Professional Conduct?

(1) Principles, (2) Rules of Conduct, (3) Interpretations.

What are the 6 principles of professional conduct?

(1) Responsibilities, (2) Public Interest, (3) Integrity, (4) Objectivity and Independence, (5) Due Care, (6) Scope and Nature of Services.

What are the 7 independence threats?

(1) Adverse interest, (2) Advocacy, (3) Familiarity, (4) Management participation, (5) Self-interest, (6) Self-review, (7) Undue influence.

What is a self-interest threat?

When the auditor has a financial or other personal interest in the client (e.g., owns client stock).

What is a self-review threat?

When the auditor reviews their own prior work (e.g., auditing statements they helped prepare).

What is a familiarity threat?

When a long or close relationship with client personnel causes the auditor to be too sympathetic or accepting.

What is a management participation threat?

When the auditor takes on a management role or makes management decisions for the client.

What are the SOX independence requirements?

(1) Audit committee must oversee the auditor, (2) Lead partner rotation: 5 years on / 5 years off, (3) 1-year cooling-off before joining client in key role, (4) Certain non-audit services to audit clients are prohibited.

What are management's 3 primary responsibilities?

(1) Prepare the financial statements, (2) Maintain effective internal controls, (3) CEO/CFO certifications (SOX).

What is the auditor's responsibility regarding misstatements?

Obtain reasonable assurance that financial statements are free of material misstatement — whether due to error or fraud. NOT a guarantee.

What is the difference between an error and fraud?

Error = UNINTENTIONAL misstatement. Fraud = INTENTIONAL — requires intent to deceive.

What are the 2 types of fraud?

(1) Fraudulent financial reporting (management fraud — fictitious revenue, premature recognition, manipulating estimates), (2) Misappropriation of assets (employee fraud — stealing cash, fictitious vendors, skimming).

What is a direct-effect illegal act?

An illegal act with a direct and material effect on financial statement amounts. Auditor obtains reasonable assurance these are detected. Example: tax law violations.

What is an indirect-effect illegal act?

An illegal act whose financial effect is indirect. Auditor performs only specified procedures — not required to actively detect. Example: environmental violations, OSHA violations.

What are the 5 procedures for indirect-effect illegal acts?

(1) Inquire of management, (2) Review minutes for evidence, (3) Inspect correspondence with regulatory agencies, (4) Review legal expense accounts, (5) Obtain attorney letters regarding known violations.

What are the 7 transaction-level assertions?

(1) Occurrence, (2) Completeness, (3) Accuracy, (4) Posting & Summarization, (5) Classification, (6) Timing/Cutoff, (7) Presentation.

What does "Occurrence" mean for transactions?

Recorded transactions actually happened and relate to the entity — no fictitious transactions.

What does "Completeness" mean for transactions?

All transactions that should be recorded have been — nothing is omitted.

What does "Cutoff" mean?

Transactions are recorded in the correct accounting period.

What are the 8 balance-level assertions?

(1) Existence, (2) Completeness, (3) Accuracy, (4) Classification, (5) Cutoff, (6) Detail tie-in, (7) Realizable value, (8) Rights & Obligations.

What is the "Existence" vs. "Completeness" distinction for balances?

Existence tests for overstatement — does the recorded balance actually exist? Completeness tests for understatement — are all balances that should be recorded included?

What does "Rights & Obligations" mean?

The entity owns the assets (rights) and is responsible for the liabilities (obligations).

What does "Realizable Value" mean?

Assets are recorded at amounts that reflect what will actually be collected or realized (e.g., A/R net of allowance for doubtful accounts).

What is the difference between sufficient and appropriate evidence?

Sufficient = QUANTITY (enough of it). Appropriate = QUALITY (relevant and reliable). Both are required — a large volume of unreliable evidence is still insufficient.

What are the 8 types of audit evidence?

(1) Physical examination, (2) Confirmation, (3) Inspection, (4) Analytical procedures, (5) Inquiry, (6) Recalculation, (7) Reperformance, (8) Observation.

What is physical examination as evidence?

The auditor directly inspects or counts a tangible asset (e.g., counting inventory, examining a piece of equipment).

What is a confirmation?

A direct written response from a third party (e.g., bank, customer) verifying information in the client's records. Generally the strongest evidence for accounts receivable.

What is recalculation?

The auditor independently re-checks the arithmetic of client-prepared documents (e.g., rechecking depreciation schedules).

What is reperformance?

The auditor independently re-executes a control or procedure to verify it was performed correctly.

What is observation as evidence?

The auditor watches a process or procedure being performed (e.g., watching inventory counts, observing the mail-opening procedure).

What is the evidence reliability hierarchy?

External > Internal; Directly obtained > Indirect; Strong controls > Weak controls; Objective > Subjective; Closer to year-end > Earlier; Qualified provider > Unqualified.

What is the most reliable type of evidence?

External evidence obtained directly by the auditor — e.g., bank confirmations, direct responses from third parties.

What is the weakest type of evidence?

Inquiry alone — asking questions without independent corroboration provides the least assurance.

What are Nature, Timing, and Extent?

Nature = TYPE of procedure used. Timing = WHEN it is performed (year-end vs. interim). Extent = HOW MUCH (sample size). The auditor adjusts all three to achieve desired detection risk.

How does lower detection risk affect Nature, Timing, and Extent?

Lower PDR requires: (1) Better/more reliable procedures (Nature), (2) Testing closer to year-end (Timing), (3) Larger sample sizes (Extent).

What are the rules for predecessor/successor auditor communication?

Successor initiates communication and must get client permission. Predecessor must respond fully unless there is a justified reason to limit the response. Likely tested as an ethics-style MCQ.

What must be included in an engagement letter?

(1) Objectives of the engagement, (2) Auditor responsibilities, (3) Audit limitations, (4) Management responsibilities, (5) Applicable reporting framework, (6) Expected form of the report.

What are examples of specialists an auditor might use?

Lawyer, engineer, geologist, actuary, appraiser.

When is a specialist referenced in the audit report?

Usually NOT referenced in an unmodified report. May be referenced in a modified report.

What are the 5 categories for understanding the client's business? (Figure 8-3)

(1) Industry and external environment, (2) Operations and processes, (3) Governance and management, (4) Objectives and strategy, (5) Performance measurement.

What are planning analytical procedures?

Required analytical procedures performed during planning — include ratio analysis and common-size statements — to understand the client and identify risk areas.

What is materiality?

An amount is material if its omission or misstatement would influence the economic decisions of a reasonable financial statement user.

What is performance materiality?

A threshold set BELOW overall materiality — used for individual account testing to reduce the risk that the aggregate of uncorrected misstatements exceeds overall materiality.

What is the difference between quantitative and qualitative materiality?

Quantitative = dollar amount threshold. Qualitative = nature of the item (e.g., a small misstatement involving fraud is qualitatively material even if the dollar amount is small).

What is the relationship between materiality and evidence?

Lower materiality → MORE evidence required. Higher materiality → LESS evidence required.

What is the Audit Risk Model formula?

AR = IR × CR × PDR (Audit Risk = Inherent Risk × Control Risk × Planned Detection Risk).

What is Audit Risk (AR)?

The risk that the auditor expresses an inappropriate opinion on financial statements that are materially misstated.

What is Inherent Risk (IR)?

The susceptibility of an assertion to material misstatement, assuming no related controls exist. Auditor assesses it — cannot control it.

What is Control Risk (CR)?

The risk that a material misstatement will not be prevented or detected on a timely basis by the entity's internal controls. Auditor assesses — cannot control.

What is Planned Detection Risk (PDR)?

The risk that audit procedures will fail to detect a material misstatement. The ONLY component the auditor CONTROLS — by adjusting Nature, Timing, and Extent.

What is Risk of Material Misstatement (RMM)?

RMM = IR × CR. The combined risk that a material misstatement exists before considering the auditor's detection procedures. Auditor assesses this — does not control it.

If RMM is high, what must PDR be, and what does that mean?

PDR must be LOW — the auditor must do MORE work (better procedures, year-end testing, larger samples) to keep overall audit risk acceptable.

What factors increase Inherent Risk?

Risky industry, first-year audit, prior period misstatements, judgment-heavy accounts (estimates), related party transactions, complex transactions, fraud risk factors.

What factors affect Acceptable Audit Risk (AAR)?

More external users → lower AAR. More financial distress → lower AAR. Lower management integrity → lower AAR. (Lower AAR = auditor must do more work.)

What are significant risks?

Risks requiring special audit attention — typically involve fraud, revenue recognition, related parties, complex transactions, or significant estimates requiring substantial judgment.

Is revenue recognition always a significant risk?

Yes — revenue recognition is ALWAYS presumed to be a fraud risk on every audit. This is a required assumption, not a judgment call.

What is the Fraud Triangle?

The 3 conditions that must ALL be present for fraud: (1) Incentive/Pressure, (2) Opportunity, (3) Rationalization. Remove any one and fraud is much less likely.

What is fraudulent financial reporting?

Management fraud — intentional misstatement of financial statements. Examples: fictitious revenue, premature revenue recognition, manipulating accounting estimates.

What is misappropriation of assets?

Employee fraud — theft of company resources. Examples: stealing cash, creating fictitious vendors, skimming receipts before recording.