Exam 2

• sufficient audit documentation

• defensible audit documentation

• experienced auditor can pickup workpapers and understand/ reperform (should be no questions about how you did it or where the info came from)

• indicated who prepared, reviewed, and signed-off

• source documents should tie to the face of the financials (no ghost ticking)

auditor says they tied a transaction out to an invoice but they really didn’t (fraudulent and unethical)

• alerts supervisors to high-risk areas

• litigation protection: subpoena is possible

• PCAOB Auditing Standard #3: “not documented, not done”

• examination

• review

• agreed-upon procedures

• compliance

• operational

• ESG

examination (non-financial information) or audit (financials)

• high assurance- “reasonable assurance”

• risk of material misstatement (ROMM) is low

• “in our opinion…”

• all procedures that are available

• moderate assurance (i.e., less in scope than exam/ audit)

• ROMM: moderate

• “we are not aware…”

• mainly analytical procedures

• Would commonly see M&A within a review procedure bcs when merging or acquiring you might want to have one of your own auditors go in and check to make sure everything is okay

• low assurance

• ROMM: varies

• summary of outcome

• agreed upon procedures

• IRS audits for tax compliance

• regulations (ex. EPA)

• safety laws (ex. FDA)

• loan covenants for bank debt

• for effectiveness and efficiency of operations, processes, and benchmarks

• generally carried out by internal auditors

Environmental, social, and corporate governance reporting

• generally limited assurance for a company’s reports

operational audits- it’s actually better if you’re not because it's usually about improving a process

the risk that the auditor may unknowingly fail to appropriately modify the opinion on F/Ss that are materially misstated- risk that the auditor issues the wrong opinion

• want this risk to be as low as possible

• not directly influenced by auditor

• both component risks are assessed/ evaluated by the auditors

  • client risks

• risk that f/ss are materially misstated

• distribution of ownership

• business risk to audit firm

• client size

• litigation environment

AR= RMM x DR

• risk that auditor fails to detect a material misstatement

  • residual risk

• directly influenced by the auditor

• auditors reduce DR by increasing the quantity and quality of their testing

• auditors control AR through DR

• the F/Ss are materially misstated (RMM); and

• the auditor will not detect such misstatements (DR)

IR x CR

• susceptibility of an assertion to material misstatement aka the risk that an account is more likely to have numbers wrong

• assumes no related internal controls

• How risky is this company if they don’t have internal controls

• How risky are they– how risky are they as a company, how risky is their management team themSELVES not just the industry (not a credit card company, but more like Tesla because we know their CEO is a nut)

• important factors:

  • client’s business

  • management’s integrity

  • client competence

  • rush to produce F/Ss

  • pressure to hit key metrics

  • number and nature of related parties

  • routineness of transactions

• risk that internal control won’t prevent or detect and correct a material misstatement

• assessment based on understanding of client and testing of internal control

• important factors

  • control environment (tone at the top)

  • board of directors and audit committee

  • internal audit

  • effectiveness of accounting system

  • strength of internal control system

internal controls are good, the auditor plans to rely on the controls (design and implementation of control appear to be operating effectively)

• auditor will need to test controls to support low CR (to prove that they are working effectively and they can sufficiently rely on them)

• RMM= IR x CR

direct, the higher the IR, the more evidence required

direct, the higher the CR, the more substantive evidence needed

inverse, the higher the AR, the less audit evidence necessary

• can this about this in a tolerance way how he described it “more tolerance for doing bad (more audit risk) so we need less evidence”

inverse, the lower the DR, the more evidence required

• low DR means we need higher quality testing (more tests of details) because we have to PROVE why we have low DR

• high DR means tests of controls and analytical evidence sufficient

inverse, the higher the RMM, the lower the DR

• (high rmm, low DR) more assurance required from substantive testing (DR is lower the more testing we do)

• we cannot control RMM as the auditor, but we can control our testing, so if there is a high RMM, then we have to do MORE testing which would mean there is a lower DR.

determining the NET of audit testing

low DR is needed for accounts impacted by processes with high residual risk

achieved audit risk ≤ acceptable audit risk

lower AR bigger company, higher AR with smaller company

perform more tests related to aspects of the client presenting the highest risk

assess how clients react or fail to react to rapidly changing business risks

• profitability, liquidity, marketability

• employee morale & retention, stakeholder comfort

a control is a process that “comprises those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives”

• to improve the effectiveness of decision making and the efficiency of business processes

• to increase the reliability of information

• to comply with laws, regulations, and contractual obligations

ongoing (annual, quarterly, monthly, weekly, daily, more than daily)

management’s

not effective in eliminating all risks but reduces its potential

increases their ability to achieve its objectives

AS 2201 requires audits to include an opinion on F/Ss and internal control over financial reporting (ICFR) (based on SOX 404)— this is essentially just saying that they have to give an integrated audit

GAAS requires auditors to obtain an understanding of the company’s controls but does not require testing or an opinion— just a F/S opinion essentially

indirect, maximum reliance— lots of control testing, less substantive testing

• indirectly getting comfort if they have good controls, doesn’t directly tell us that their information is correct though

direct, minimum reliance— no control testing, lots of substantive testing

• automated control push you further towards minimum reliance because you can test for way more, so a lot more substantive testing occurs

• digital audit

• interim testing

• audit effort devoted to evaluating the output of the internal control structure (i.e. substantive)

• not possible with the controls testing still required for ICFR opinion

• separation of duties (ex. operations, authorizationin, custody, recordkeeping)

• proper authorization

• adequate documents and records

• physical control over assets and records

• independent checks on performance

• failure due to human error

  • do not understand or properly follow instructions

  • judgment errors

  • fatigue

• collusion could allow employees to circumvent segregation of duties

• management override

• overtime, the may be a breakdown or deterioration in compliance

internal controls over financial reporting

controls that reduce the risk of errors in the financial reporting process:

• accurately record routine transactions (ex. sales transactions)

• conformity with GAAP

• prevent fraud

• serve as IT general control (ITGC)

• facilitate estimation process for non-routine transactions

• facilitate period-end close and preparation of F/Ss

1. test and evaluate design

2. test and evaluate operating effectiveness

ICFR opinion (unqualified or adverse) based on control framework (i.e. COSO)

1. control environment

2. risk assessment

3. information and communication system

4. control activities

5. monitoring

the foundation of the COSO framework, an organization’s integrity, general competence, and ethics. attitudes and incentives (i.e. tone at the top)

controls located at the top of an organization

• mitigate strategic risks to the org and promote effectiveness of decision making and business activities

• COSO sections: control environment or monitoring

• examples:

  • audit committee

  • fraud controls

  • period-end financial reporting process controls

  • code of conduct, code of ethics

• top-level reviews

• performance indicators (i.e. KPIs) and benchmarking

• independent evaluations

senior management reviews the results of operations against forecasts and budgets and follow up on potential problems

potential inventory valuation problems are arising from competition or new entrants may be indicated by looking at the rate at which inventory is being sold, disaggregated by product line and geographic region

unfavorable budget variances followed up on when brought to the attention of someone who is independent of the process creating the variances

• failure to link to organizational objectives

• no accountability

• communication breakdowns

• top management circumvention/override

• process performance reviews

• processing controls

• application controls

• physical controls

• segregation of duties

• preventive

• detective

• corrective

controls that are put in place to avoid material misstatements

ex. segregation of duties, approval

controls that are put in place to discover material misstatements

ex. reconciliations, reviews, inventory counts

controls put in place to respond to material misstatements that were discovered by detective controls

ex. backups of master file, corrective JEs, updating password access after firings

• complementary

• redundant

• compensating

controls that function together

• detective and corrective controls for example

controls that cover the same F/S assertion or control objective

• lock and security camera for example

controls that can be relied upon to reduce the risk that an existing material weakness results in a material misstatement

• if one redundant control fails, the other becomes a compensating control, say the lock fails

do not use information technology

• ex. bank reconciliation, budget reviews, etc.

system-based controls that are programmed procedures

• ex. system report when inventory levels fluctuate

manual controls that rely on a report from the system

• ex. supervisor signs-off on inventory report

• frauds can be built into design and difficult to detect

• errors might not surface for a lagged period

• unauthorized access to information a significant risk

those who design or program can have a significant impact on risk of fraud if they are able to circumvent controls

• fewer people with expertise to supervise/ evaluate

• power failure

• concentration of data- lower probability of loss but higher magnitude of loss if problem occurs

• hacking by external parties

• viruses

IT general control: controls that are indirect to the actual system application (“wall” built around the application)

• development of systems- designed, tested, and placed in operations

• changes to systems- modified once put in place

• operations- contingency planning

• access to programs and data- security issues

aka application controls: controls built into place with the front end of an application (often prepackaged and documented)

• input controls

• process controls

• output controls

the key objective associated with the front end of an application

what are the key objective associated with the actual transaction processing and master file maintenance?

what are the key objectives associated with the results of transactions and systems performance?

• influences expectations about account balances

• suggests potential financial misstatements

• raises concerns about viability

• indicates potential threats to the control environment

• highlights potential comments for client

• management- control deficiencies

• audit committee- material weaknesses and significant deficiencies

• board of directors- if negative 404 opinion