Normal Size Small Size show me how
Auditing Test 2
|The successor auditor must contact the predecessor auditor before entering into contract. What are the 4 questions you must ask them?
|1. What is your opinion of mgmt's integrity? 2. Were there any disagreements with clients about GAAP or GAAS? 3. If the prev auditor had any reqd communications with the audit committee. Were there any illegal acts? 4. Why are you no longer the auditor
|Does the predecessor auditor need to answer your questions?
|The predecessor is req'd to answer promptly and honestly.
|The engagement letter
|Does not have to be in writing but it is strongly recommended that it be in writing.
|What type of knowledge should the auditor obtain about the client and it's industry?
|Organizational structure, locations, products and services, any difficult acct areas, management's philosophy, payroll structure (how upper mgmt is compensated), large turnover rate in the acct dept, the acct info sys used, I/C the client has in place.
|Perform analytical procedures.
|Ratio analysis and trend analysis. This is to identify areas with possible problems to be looked at further.
|What are the auditor's responsibilities when obtaining a new client?
|1. Client acceptance/continuance 2. Obtain knowledge about client and it's industry. 3. Perform analytical procedures 4. Identify client assertions 5. Establish prelim materiality. 6. Assess components of A/R 7. Assess fraud risk. 8. Write audit pr
|What does the audit program do?
|Gives experienced auditor guideline and can be used as a checklist. It allows to figure out composition of audit team.
|What is audit risk?
|The risk that we give the wrong opinion.
|How can you determine audit risk?
|Inherent Risk x Control Risk x Tolerable level of detection risk.
|Control risk and tolerable level of detection risk are inverse.
|Control Risk- Low Tolerable level of detection risk- High and vice versa.
|What is inherent risk?
|The risk there are material misstatements, assuming there are no internal controls in place. Some industries have more IR than others.
|What is control risk?
|The risk the I/C will not catch material misstatements. There will always be some risk present.
|What is detection risk?
|The risk the I/C will not catch material misstatements.
|What are internal controls?
|Policies and procedures that: 1. safeguard assets (from theft and damage) 2. improve the accuracy of accounting records. 3. Ensure compliance with laws and regulations. 4. Improve the efficiency and effectiveness of operations.
|What does SOX think about I/C?
|They must have a recognizable and acceptable framework.
|Develop an acceptable system for internal controls.
|c- Control activities r- Risk assessment i- information systems m- monitoring e- environment
|Policies and procedures that are in place
|the company assesses their own risk
|Accounting information system, communication system
|management monitoring compliance
|(Control Environment) Overall value management places on Internal Controls.
|What is management responsible for?
|Having an effective system of internal controls, constantly be assessing risk and internal controls, must think about how much they are willing to spend on I/Cs.
|What is the auditor responsible for?
|Obtaining an understanding of internal controls and document understanding. (Flow chart, questionaire, must be in writing, narrative).
|Assess Control Risk
|Maximum- Few tests of controls. Extensive substantive controls. Less than maximum- More tests of controls, fewer substantive tests
|Opinion of Internal Controls
|Unqualified or adverse
|Significant deficiency or material weakness in client's I/Cs. As soon as they are found management must be notified immediately.
|What is fraud?
|theft of manipulating numbers on the F/S.
|What is professional skepticism?
|We can not assume that management is completely dishonest.
|Fraud standard requires brainstorming
|How could fraud occur for this client?
|Fraud standard requires utilizing the fraud triangle
|The fraud triangle includes incentives or pressures, opportunities, and attitude/rationalization.
|How do opportunities occur?
|From poor or nonexistent internal controls.
|How do you utilize the fraud triangle?
|If any 2 of 3 points on fraud triangle are present, you must increase fraud risk.
|What does the fraud standard require from management and the board of directors?
|Ask management and the board of directors if they know about or suspect fraud and how they look for fraud and if there is code of conduct.
|What if no code of conduct is in place?
|We have found a direct effect illegal act.
|The fraud standard requires
|The fraud standard requires that you assess fraud risk
|- revenue recognition - if we observe mgmt overriding internal controls. Anytime management doesn't pay attention to internal controls.
|The fraud standard requires must always look at:
|- unusual transactions - accounting estimates - adjusting entries
|The fraud standard requires
|that you build unpredictability into the audit.
|What if we found fraud?
|Talk to BOD and mgmt one level above whoever is involved in the fraud and we tell them about the situation and that they must fix it. If they do we can give an unqualified opinion. If they didn't we will give qualified or adverse opinion.
|What are the physical controls?
|Physically keeping the computers safe. -locks, temperature, fire control, camera, guards, gps
|What are access controls?
|passwords, firewalls, sign in sheet, encryption
|What are input controls?
|drop down menus, validation tests (record count, hash total), immediate notification if the wrong info is input, limit controls (ex. limit in cash drawer)
|What are processing/storage?
|-back-up (maybe third party) -disaster recovery plan (worst case scenario) must test this plan -Error report - Reconciliation
|What are output controls?
|- Screen protector - position of monitor - edit report - access report
|What if a client is sophisticated in IT?
|The more sophisticated a client is in IT, the more expertise is needed.
|Different IT environments
|-stand alone computers -network (LAN and WAN) -SAP (database management system) -E-commerce -Outsourced IT
|- Audit around the computer - Audit through the computer (test data approach, parallel simulation, embedded audit module approach)
|Must you mention a specialist in the audit report?
|If you change your opinion based on what specialist said, must mention them in audit report.