Exam 3 Review Sheet This review does not cover every thing. You need to study your text book, notes, and other handouts. You need to know: 1. What auditing is
Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria. Auditing should be done by a competent, independent person. 2. Reasons for audit planning
To enable the auditor to obtain sufficient competent evidence for the circumstances, to minimize legal liability and maintain a good reputation in the business community. To help keep audit costs reasonable, helps the firm remain competitive and thereby retain or expand its client base and to Avoid misunderstandings with the client, to have good client relations and for facilitating high-quality work at reasonable cost. 3. Definitions of inherent risk and acceptable audit risk
Acceptable audit risk and Inherent risk have a significant effect on the conduct and cost of audits. • Acceptable audit risk is a measure of how willing the auditor is to accept that the financial statements may be materially misstated after the audit is completed and an unqualified opinion has been issued. 10-1
Inherent risk is a measure of the auditor's assessment of the likelihood that there are material misstatements in an account balance before considering the effectiveness of internal control. o If, for example, the auditor concludes that there is a high likelihood of material misstatement in an account such as accounts receivable, the auditor would conclude that inherent risk for accounts receivable is high. •
Assessments of acceptable audit risk and inherent risk are an important part of audit planning, because they affect the amount of evidence to be accumulated and staff to be assigned to the engagement. 4. The major steps in audit planning
Initial audit planning involves four things, all of which should be done early in the audit. 1. The auditor decides whether to accept a new client or continue serving an existing one. This is typically done by an experienced auditor who is in a position to make important decisions. 2. The auditor identifies why the client wants or needs an audit. This information is likely to affect the remaining parts of the planning process. 3. The auditor obtains an understanding with the client about the terms of the engagement to avoid misunderstandings. The staff for the engagement is selected, including any required audit specialists. 5. The communication between successor and predecessor CPA and how is responsible for initiating it (SAS No. 84)
For prospective clients that have previously been audited by another CPA firm, the new (successor) auditor is 10-2
required by SAS 84 (AU 315) to communicate with the predecessor auditor. The communication may inform the successor auditor that the client lacks integrity or that there have been disputes over accounting principles, audit procedures, or fees. 6. The purpose of an engagement letter
A clear understanding of the terms of the engagement should exist between the client and the CPA firm. SAS 108 (AU 310) requires that auditors must document their understanding with the client in an engagement letter, including the engagement's objectives, the responsibilities of the auditor and management, and the engagement's limitations. The engagement letter should specify whether the auditor will perform an audit, a review, or a compilation, plus any other services such as tax returns or management consulting. It should also state any restrictions to be imposed on the auditor's work, deadlines for completing the audit, assistance to be provided by the client's personnel in obtaining records and documents, and schedules to be prepared for the auditor. It often includes an agreement on fees. The engagement letter is also a means of informing the client that the auditor cannot guarantee that all acts of fraud will be discovered. The engagement letter does not affect the CPA firm's responsibility to external users of audited financial statements, but it can affect legal responsibilities to the client.
10-3
The engagement letter will also include the agreement for the audit of the effectiveness of internal control over financial reporting. An example of an engagement letter is given in Figure 8-2 (p. 212 7. ?who is responsible for establishing a private company’s internal control
Management has responsibility for establishing and maintaining the entity's internal controls. Management is also required by Section 404 to publicly report on the operating effectiveness of those controls. In contrast, the auditor's responsibilities include understanding and testing internal control over financial reporting. The auditor is also required by Section 404 to issue an audit report on management's assessment of its internal controls. 8. what are the key concepts that underlie management’s design and implementation of internal control
Two key concepts underlie management's design and implementation of internal control •
Reasonable Assurance: A company should develop internal controls that provide reasonable, but not absolute, assurance that the financial statements are fairly stated. (Consider cost and benefit).
•
Inherent Limitations: Internal controls can never be regarded as completely effective, regardless of the care followed in their design and implementation. Even if systems personnel can design an ideal system, its effectiveness will depend on the competency and dependability of the people using it. 10-4
9. The study and evaluation of internal control of public and private companies are required by who or what 10. what are the primary objectives of effective internal control
INTERNAL CONTROL OBJECTIVES • A system of internal control consists of policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals. • Management typically has three broad objectives in designing an effective internal control system: 1.
Reliability of financial reporting. The management is responsible for the reliability of financial statements and the objective of effective internal control over financial reporting is to fulfill these financial reporting responsibilities.
Efficiency and effectiveness of operations. Controls within an organization are meant to encourage efficient and effective use of its resources to optimize the company's goals. Compliance with laws and regulations. Section 404 requires all public companies to issue a report about the operating effectiveness of internal control over financial reporting. 2.
11. what is the framework used to evaluate the effectiveness of internal control
- In addition, management's internal control report must identify the framework used to evaluate the effectiveness of internal control. The internal control framework for most 10-5
U.S. companies is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, issued in 1992. • The SEC requires management to include its report on internal control in its annual Form 10-K report filed with the SEC. COSO COMPONENTS OF INTERNAL CONTROL COSO's Internal Control—Integrated Framework, the most widely accepted internal control framework in the United States, describes internal control as consisting of five components that management designs and implements to provide reasonable assurance that its control objectives will be met. Each component contains many controls, but auditors concentrate on those designed to prevent or detect material misstatements in the financial statements. The COSO internal control components include the following: 1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring The control environment serves as the umbrella for the other four components 12. what is separation of duties and example on it
1. Adequate Separation of Duties 10-6
• Separation of the Custody of Assets from Accounting • Separation of the Authorization of Transactions from the Custody of Related Assets • Separation of Operational Responsibility from Record-Keeping Responsibility • Separation of IT Duties from User Departments Naturally, the extent of separation of duties depends heavily on the size of the organization. 13. under SOX, what are public companies responsibilities in terms of internal control 14. The items of the audit planning models. AAR = IR X CR X PDR PDR = AAR / IR X CR AAR acceptable auditing risk IR inherent risk PDR Planned detection risk 15. what are the common methods of testing internal controls
Procedures for Tests of Controls The auditor is likely to use four types of procedures to support the operating effectiveness of internal controls: 1. Make inquiries of appropriate client personnel. Although inquiry is not generally a strong source of evidence about the effective operation of controls, it is an appropriate form. 2. Examine documents, records, and reports. Many controls leave a clear trail of documentary evidence. 3. Observe control-related activities. Some controls do not leave an evidence trail, which means that it is not possible to examine evidence that the control was 10-7
executed at a later date. For example, separation of duties relies on specific persons performing specific tasks, and there is typically no documentation of the separate performance. 4. Reperform client procedures. 16. What are the important documents that are used in the sales cycle 17. The difference between vouching and tracing 18. What are the effective procedures to examine audit objectives of occurrence and completeness, what is the direction of each test 19. What is substantive test 20. The difference between public and private companies in terms of testing internal control procedures Questions and Exercises 1. When inherent risk is high, there will need to be: a. more evidence accumulated. b. more experienced staff assigned to the work. c. either a or b, but not both. d. both a and b. d 2. Initial audit planning involves four matters. Which of the following is not one of these? a. Develop an overall audit strategy. b. Request that bank balances be confirmed. c. Schedule engagement staff and audit specialists. d. Identify the client’s reason for the audit. B 3. A CPA firm may choose to not continue working with an audit client for which of the following reasons? a. Conflicts over past audits. b. Disagreements regarding the type of opinion to issue. c. Disagreements regarding audit fees. d. All of the above. D 4. Which of the following statements is true regarding communications between predecessor and successor auditors? a. The burden of initiating the communication rests with the predecessor. 10-8
b. c. d.
The predecessor should attempt to respond fully and truthfully to the successor’s inquiries. The predecessor should communicate with the successor only if the client is public. There is no requirement that the predecessor and successor communicate.
B 5. An engagement letter sent to an audit client usually would not include a(n): a. reference to the auditor’s responsibility for the detection of errors or irregularities. b. estimation of the time to be spent on the audit work by audit staff and management. c. statement that management advisory services would be made available upon request. d. reference to management’s responsibility for the financial statements. C 6. Discuss the factors an auditor should consider before accepting a company as an audit client. Answer: The auditor should investigate and consider the prospective client’s standing in the business community, financial stability, management’s integrity, and relations with its bankers, attorneys, and previous CPA firm. The auditor should also determine whether he or she possesses the required competence and independence to do the audit.
7. Define the term “related party” and discuss why an auditor should identify the client’s related parties early in the audit. Answer: A related party is an affiliated company, principal owner of the client company, or any other party with which the client deals where one of the parties can influence the management or operating policies of the other. Auditors need to be aware of who the client’s related parties are early in the audit to enable the auditor to identify related-party transactions, especially those that have not been disclosed.
8. There are three main reasons why an auditor should properly plan audit engagements. Discuss each of these reasons. Answer: Three reasons why an auditor should properly plan audit engagements are:
10-9
• To enable the auditor to obtain sufficient competent evidence for the circumstances. This is essential for minimizing legal liability and maintaining a good profession reputation. • To help keep audit costs reasonable. Given the competitive auditing environment, keeping costs reasonable helps the firm obtain and retain clients. • To avoid misunderstandings with the client. This is important for good client relations.
9. Discuss the required communications between predecessor and successor auditors as outlined by SAS No. 84. Answer: Auditing standards require a successor auditor to communicate with the predecessor auditor whenever accepting a client that has been previously audited. The purpose of the communication is to help the successor auditor evaluate whether to accept the engagement. While the burden of initiating the communication rests on the successor auditor, the predecessor auditor must respond to the request for information. However, because of the requirements related to confidentiality, the predecessor must obtain the former client’s permission prior to providing information to the successor.
10. Discuss the four primary purposes of analytical procedures performed during the planning phase of an audit. Answer: The four primary purposes of preliminary analytical procedures are: • to help the auditor understand the client’s industry and business, • to help the auditor assess the going concern assumption, • to indicate areas of possible misstatements, and • to reduce the extent of detailed tests.
11. Which of the following is responsible for establishing a private company’s internal control? a. Management. b. Auditors. c. Management and auditors. d. Committee of Sponsoring Organizations. A
10-10
12. Which of the following parties provides an assessment of the effectiveness of internal control over financial reporting for public companies? a. Management. b. Financial statement auditors. c. Management and the financial statement auditors. d. Committee of Sponsoring Organizations. C 13. When management is evaluating the design of internal control, management evaluates whether the control can do all but which of the following? a. Prevent material misstatements. b. Detect material misstatements. c. Correct material misstatements. d. None of the above is correct. C 14. There are four steps in the auditor’s process of understanding internal control and assessing control risk for a public company. Step one is obtain and document an understanding of internal control: design and operation. What are the remaining three steps? Answer: The remaining three steps are: • Assess control risk. • Design, perform, and evaluate tests of controls. • Decide planned detection risk and substantive tests. 15. During a financial statement audit of a private company, three steps must be completed by the auditor before concluding that control risk is low. What are these steps? Answer: The three steps that must be completed by the auditor before concluding that control risk is low are: 1. obtaining an understanding of the control environment, risk assessment procedures, accounting information and communication system, and monitoring methods at a fairly detailed level; 2. identify specific controls that will reduce control risk and make an assessment of control risk; and 3. test the effectiveness of controls. 16.
10-11
The internal control framework developed by COSO includes five so-called “components” of internal control. Discuss each of these five components. Answer: Five components of internal control are: • The control environment. The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management about control and its importance to the company. • Risk assessment. This is management’s identification and analysis of risks relevant to the preparation of financial statements in accordance with GAAP. • Information and communication. This is the set of manual and/or computerized procedures that identifies, assembles, classifies, analyzes, records, and reports a company’s transactions and maintains accountability for the related assets. • Control activities. These are the policies and procedures that help ensure necessary actions are taken to address risks in the achievement of the company’s objectives. • Monitoring. This is management’s ongoing and periodic assessment of the quality of internal control performance to determine that controls are operating as intended and modified when needed.
17. Which of the following is not one of the five classes of transactions included in the sales and collection cycle? a. Sales returns and allowances b. Charge-off of uncollectible accounts c. Bad debt expense d. Depreciation expense
10-12
d 18. Most companies recognize sales revenue when: a. sales are invoiced. b. customer orders are received. c. goods are shipped. d. customer orders are approved. 19. The credit-granting function should be separated from which of the following? a. Purchasing function b. Manufacturing function c. Sales function d. None of the above c 20. Explain each of the following types of documents and indicate the class of transactions in which they are commonly used. 1. Customer order 2. Shipping document 3. Remittance advice 4. Sales returns and allowance journal 5. Uncollectible account authorization form Answer: 1. Customer order – request for merchandise by a customer. Appears in the Sales class of transactions. 2. Shipping document – document prepared to initiate shipment of goods, indicating the description of the merchandise, the quantity shipped, and other relevant data. Appears in the Sales class of transactions. 3. Remittance advice – document that accompanies the sales invoice mailed to the customer and can be returned to the seller with payment. Appears in the Cash receipts class of transactions. 4. Sales returns and allowance journal – journal used to record all sales returns and allowances, analogous to the sales journal. Appears in the Sales returns and allowance class of transactions. 5. Uncollectible account authorization form – document used internally to indicate authority to write off an account receivable. Appears in the charge off of Uncollectible accounts class of transactions. 21. When testing the occurrence objective for sales, the auditor is concerned with the possibility of three types of misstatements. One type is sales being included in the journal for which no shipment was made. Discuss the other two types of misstatements. Answer:
10-13
The auditor is also concerned with the possibility of (1) shipments being made to nonexistent customers and recorded as sales, and (2) sales being recorded more than once.
22. Describe the three basic steps an auditor should follow when designing tests of controls and substantive tests of transactions. Answer: The three basic steps in designing tests of controls and substantive tests of transactions are: • Determine key internal controls for each audit objective. • Design tests of controls for each control used to support a reduced control risk. • Design substantive tests of transactions to test for monetary misstatements for each objective.
10-14