A2 - Engagement Quality

Question 1

Who can sit on the audit committee?

Answer 1

○ 3-5 “outside directors” - directors who aren’t employees of the company
§ E.g. CEO usually sits on the BOD, they can’t sit on the AC though
○ Directors that don’t have a “material financial interest” in the company
§ E.g. outside director can’t have a big personal investment in the company

Question 2

What does the AC do?

Answer 2

a) Appoint auditor and determine how much auditor is paid
b) Assurances the auditor is independent from the company
c) Review any auditor findings
d) Ensure audit is good quality
e) Ensure recommendations from auditor is given appropriate attention
f) Resolve disagreements between auditor and management
g) Evaluate internal control environment of the company
h) Report to BOD and stockholders

Question 3

How often does the auditor need to be allowed private communications with the AC?

Answer 3

At least once a year

Question 4

What are some of the things the auditor should assess before they accept an engagement?

Answer 4

a) Can they meet the reporting deadline
b) Do they have enough staff capacity
c) Independence
d) Management’s integrity
e) Management’s framework is acceptable
f) Management accepts responsibility for FS and internal controls
g) Management will give them access to all information relevant to the FS and unrestricted access to personnel within the company
This is one of the very rare circumstances in which “all” answers are correct
h) Scope limitations (e.g. client says that they don’t have adequate accounting records)
§ Or they can accept if a disclaimer of opinion is okay for the client’s purposes
§ If the management imposed scope limitation will result in a qualified opinion or the scope limitation is due to something beyond management’s control (e.g. a fire destroyed their records), then the auditor could still accept

Question 5

What is the engagement letter and what should be included in it?

Answer 5

a. Addressee
b. Objective and scope of audit
§ Reasonable, not absolute, assurance
c. Responsibility of auditor
d. Responsibility of management
§ Management is responsible for preparing the FS and internal controls
e. Other relevant information
f. Reporting
g. Signature
h. Other relevant items
§ Information relating to the timing
§ Information about arrangements with the previous auditor
§ Management will provide responses in a timely manner
§ Information about specialists that will be used

Question 6

What are the additional criteria for acceptance under an ERISA plan financial audit?

Answer 6

§ Maintain a current plan instrument
§ Plan is in conformity with the plan’s provisions

Question 7

What is an ERISA Section 103(a)(3)(c) audit? What are management’s additional responsibilities?

Answer 7

□ Auditor doesn’t have to look at all of the investments b/c certain investments can be certified by a qualified institution
□ Management likes these types of audits b/c auditor does less and therefore management is charged less
□ If management wants to do this, they are responsible for making sure that:
® they qualify for that type of audit
® investment info can be prepared and certified
® information is appropriately measured, presented, and disclosed
□ Management also has to provide the auditor Form 5500 (not required in typical FS audit, only ERISA)

Question 8

Do auditors of issuers and nonissuers need to obtain a new engagement letter every year?

Answer 8

• Issuers - auditor must obtain signed engagement letter EVERY YEAR
  ○ Signed by AC and auditor
• Nonissuers - if no revision is necessary, auditor should remind management of the terms of the engagement letter (either orally or in writing)

Question 9

What does the auditor have to do before the accept an audit?
*important area

Answer 9

○ Must talk to predecessor auditor
§ Must obtain client’s permission first
§ If management refuses, then you shouldn’t accept the engagement

○ Certain questions that they have to ask (HEAVILY TESTED AREA):
a) Management’s integrity
b) Disagreements with management
c) Reason for change in auditor
d) Any communication with AC (fraud, noncompliance, internal control matters)
e) Nature of entity’s relationships and transactions with related parties and unusual transaction
f) Look at predecessor’s working papers

Question 10

What are the 6 elements of quality control?
Hint: HELP ME

Answer 10

1) Human Resources
§ Recruitment and hiring
§ Figure out who is going to what engagement
§ Performance evaluation, compensation, and advancement

2) Engagement/client acceptance and continuance
§ Should the firm accept a client or continue a relationship?
§ Can the firm reasonably expect to complete the engagement competently?
§ Legal and ethical requirements

3) Leadership responsibilities
§ Firm leadership bears ultimately responsibility for firm’s quality control system

4) Performance of the engagement
§ Policies & procedures to ensure engagements have proper supervision
§ Information is kept confidential and safe

5) Monitoring
§ Helps ensure policies and procedures are actually in place and being followed
□ Just b/c you have them, doesn’t mean they are followed
§ “Wrap-up” or second partner review by a partner not involved in the audit
□ Required for issuers
□ Not required for nonissuers

6) Ethical requirements
§ Helps maintain public confidence in the profession
§ Maintain independence
§ At least annually, employees fill out independence form
□ Includes their investments, spousal investments, spousal jobs, parents jobs, etc.

Question 11

What is the difference between quality control standards and GAAS?

Answer 11

Quality Control Standards
- Applies to all professional activities of the firm
- HELP ME

GAAS
- Applies to each individual engagement
- Acceptance, risk and response, performing procedures and obtaining evidence, forming conclusions, reporting
- Doesn’t apply to stuff such as who you hired, do you have peer reviews, do you have proper training

*Failed or inadequate quality control ≠ lack of compliance with GAAS

Question 12

What areas of work should an engagement partner not be delegating?

Answer 12

○ Critical judgement areas
○ Significant risks
○ Other areas based on significant professional judgement

Question 13

What is an EQCR? Is this required for issuers and/or nonissuers?

Answer 13

EQCR is an engagement quality control review. It is performed by a partner not on the engagement who looks at a high level to make sure that important areas of the audit are being handled appropriately (e.g. sig judgement, independence, etc.).

Required for issuers
Performed only when required for nonissuers

Question 14

Do the auditor’s working papers support the audit opinion or the client’s presented FS?

Answer 14

Audit opinion
○ Client’s records support their FS
○ Working papers are for us, not them

Question 15

How long do you need to keep audit documentation for?

Answer 15

○ Nonissuer - 5 years
○ Issuer - 7 years

Question 16

How long does the auditor have to gather their final documentation file after the report release date? Why does this matter?

Answer 16

○ Nonissuer - 60 days after report release date
○ Issuer - 45 days after report release date

○ Important date b/c after this date, you can’t delete or add anything to the file without extensive documentation

Question 17

What are the 2 types of audit documentation?

Answer 17

1. Permanent/Continuous Audit File
   § Things that are relevant for >1 year (e.g. pension plans, multi-year contracts, leases, stock options, bylaws, articles of incorporation, bond info)
2. Current File
   § Relates to this year (e.g. audit plan, audit report, FS, trial balance, adjusting JEs, confirmations, management representation letter, etc.)

Question 18

What is a control?

Answer 18

a policy/procedure established to achieve the control objectives of management

Question 19

What are the 3 categories of control management?
Hint: ERC

Answer 19

1. Effectiveness and efficiency of operations
2. Reliability - of financial reporting
   § Most relevant for audit
3. Compliance - with applicable laws and regulations

Question 20

What is the COSO framework?

Answer 20

Committee of Sponsoring Organizations
- First released in 1992 to try and help entities reduce fraudulent financial reporting
- In 2013, the framework was updated to deal with all of the changes that have occurred since 1992
○ Introduced 17 principles that have been categorized into 5 major components

Question 21

What are the 5 elements of internal controls? Which are considered direct and which indirect?
Hint: CRIME

Answer 21

Direct:
1. Control Environment
2. Risk Assessment
5. Monitoring Activities

Indirect:
3. (Existing) Control Activities
4. Information and Communication

Question 22

What is the control environment part of internal controls?

Answer 22

Tone at the top of the organization

○ EBOCA
§ Ethics - commitment to ethics and integrity
§ Board - board independent and oversight
§ Organizational structure
§ Commitment to competence
§ Accountability

Question 23

What is the risk assessment part of internal controls? What is the auditor’s additional responsibility in relation to IT risks?

Answer 23

Auditor tries to understand how management addresses risk areas

○ We want to make a “SAFR” environment
§ Specify objectives
§ Assess - identify and assess changes
§ Fraud - consider the potential for fraud
§ Risks - identify and analyze risks

• Auditor must also evaluate IT risk:
  ○ Potential reliance on inaccurate IT
  ○ Unauthorized access to data
  ○ Unauthorized changes to data
  ○ Potential loss of data

Question 24

What is the (Existing) Control Activities part of internal controls?

Answer 24

Process an entity uses to assess the quality of their controls over time

○ CATP
§ Control Activities - select and develop control activities
§ Technology - select and develop technology controls
§ Policies - deploy policies and procedures

Question 25

What is the Information and Communication part of internal controls?

Answer 25

○ "OIE, this is a lot of information" § Obtain - and use information § Internally - internally communicate information § External parties - communicate with external parties

Question 26

What is the Monitoring Activities part of internal controls?

Answer 26

○ "Monitor your SOD to make sure the grass grows" § Separate and Ongoing - separate and ongoing evaluations of controls □ Frequency depends on the risk § Deficiencies - communication of deficiencies □ Not good enough to just identify

Question 27

What are the 8 control activities we want an entity to have? Hint: PAID TIPS

Answer 27

1. Prenumbering of documents * All transactions are recorded (completeness) * No transactions are recorded more than once (existence) * E.g. you can see you have checks 11, 12, and 14 but no 13 ○ Or you can see you have 11, 12, 12, 13 so you have 12 twice 2. Authorization and Approval of Transactions * Happens before a transaction happens * Affirms a transaction is valid 3. Independent Checks * Verification of work performed by somebody else ○ Have someone independent review another's work 4. Documentation * E.g. need to have certain documentation in place before a transaction can be processed 5. Timely and Appropriate Financial Performance Reviews * Comparison of actual and forecast performance * Any variances would be looked into 6. Information Processing Controls * Can be automated or manual * Makes sure items captured by the system are recorded accurately and correctly 7. Physical or Logical Controls for Safeguarding Assets * Physical - e.g. locks to prevent access to certain rooms or passwords that you need to enter to gain access somewhere * Logical - e.g. not everyone has access to all information in the system 8. Segregation of Duties * ARC should all be different people ○ Authorization - person who authorizes ○ Record keeping - person who records ○ Custody - person who ships items

Question 28

As part of planning, auditors decide on: a) Nature and Extent of Planning b) Involvement of Key Engagement Team Members c) Supervisors of Assistants d) Nature, Extent, and Timing e) Disagreement Among Auditors Talk about each and what auditors consider when planning for them.

Answer 28

a) Nature and Extent of Planning - depends on the complexity of the client b) Involvement of Key Engagement Team Members - partner has ultimate responsibility for audit and signing off seniors and staff need to be supervised and work reviewed c) Supervisors of Assistants - schedule a call with the team prior to the audit - inform them of the objectives of the audit, NET of procedures, any other important stuff d) Nature, Extent, and Timing - depends on complexity of client, nature of work, experience of team, riskiness e) Disagreement Among Auditors - should be brought up to the audit partner who makes the final decision - If staff still disagree after partner ruling, the staff can decide to be disassociated from the audit

Question 29

What does it mean for audits to use a "risk based" approach?

Answer 29

Test risky areas more heavily. Not every account is audited equally

Question 30

Do auditors need to have experience in the industry of their prospective client before accepting an engagement?

Answer 30

No, but once accepted they need to become familiar and gain experience (e.g. through reading standards and industry guidance)

Question 31

What is an audit strategy and what is included?

Answer 31

What is it: outlines the approach an auditor will take to conduct an audit What is included: - scope (including materiality) - objectives - timing - required comms - factors that determine the focus

Question 32

Which would outline the nature, extent, and timing of audit procedures - the audit plan or audit strategy?

Answer 32

Audit strategy

Question 33

What are the two categories of audit procedures?

Answer 33

1. Risk Assessment Procedures * Includes understanding of controls as well as environment * Audit is risk based so this is important 2. Further Audit Procedures a) Test of Controls - evaluate effectiveness of controls b) Substantive Procedures - use to detect material misstatements by testing transactions, account balances, etc. i. Test of Details ii. Substantive Analytical Procedures

Question 34

What additional considerations need to be made for planning an ERISA audit? What if they elect for 103(a)(3)(c)?

Answer 34

Normal ERISA: a) obtain most current plan instrument b) confirm plan tax status if they are tax-exempt c) prohibited transactions 103(a)(3)(c) - entity gets some investments certified by a qualified institution - need to assess how management got comfortable that the entity can certify their investments - auditor identifies certified transactions - auditor then doesn't need to perform as extensive procedures

Question 35

What are the 6 relevant assertions? Hint: COVER UP

Answer 35

1. Completeness - all accounts and disclosures that should have been included are included 2. Cutoff - correct period 3. Valuation, Allocation, and Accuracy - fairly stated at right amount 4. Existence and Occurrence - did this actually occur, does this actually exist 5. Right and Obligations - does the entity have the rights to this asset or obligation to this liability 6. Understandability of Presentation and Classification - easy to understand, classified correctly

Question 36

What is required in terms of communicating the audit plan to TCWG?

Answer 36

- written or oral - * Have to communicate significant risks identified * During this communication, auditor can also ask questions to gain a further understanding of the entity and where TCWG see risky areas

Question 37

What is additionally included in a group audit engagement plan?

Answer 37

* Extent that group engagement team will use work of component auditor * Whether they are going to reference the component auditor or take full responsibility

Question 38

Can audit plans be altered once they've been made?

Answer 38

Yes - can and usually are changed throughout the audit as new evidence is gathered by the auditors

Question 39

What are the things auditors can't share responsibility with IA for?

Answer 39

* Issuing report * Audit decisions * Judgments * Assessments made as part of the audit

Question 40

What can IA help the auditor with?

Answer 40

* Gaining understanding of client's internal controls * Assessing risk - while IA can't help directly with highly judgmental areas, their general work can help inform the external auditor's risk assessment * Performing control testing - external audit can leverage IA's control testing provided they have found the IA's to be competent and reliable * Performing substantive procedures - this would mostly be through an IA's assessment of an area as higher risk and therefore the external auditor plans more procedures

Question 41

Would we consider IA to be independent of the client?

Answer 41

No

Question 42

Can IA work along eliminate work for amounts with: a) High RMM b) High subjectivity c) Low RMM d) Low subjectivity

Answer 42

High RMM - no High subjectivity - no Low RMM - yes Low subjectivity - yes

Question 43

If the external auditor is going to rely on the IA's work is used in obtaining audit evidence, what must be assessed?

Answer 43

* Competence * Objectivity - we want IA to report to someone high up, not the audit department * Whether IA function applies a systematic and disciplined approach, including quality control

Question 44

What are specialists

Answer 44

Special skill in a field other than auditing

Question 45

What is the difference between a management and auditor specialist

Answer 45

* Auditor Specialist * Person auditor hires in helping obtain sufficient, appropriate audit evidence * Management Specialist - Hired by management to help prepare financial statements

Question 46

What should be agreed upon with a specialist and does it need to be in writing

Answer 46

1. Nature, scope, and objectives of the work 2. Respective roles and responsibilities of both parties 3. Nature, timing, and extent of communication 4. Confidentiality requirements (if any) *doesn't need to be in writing

Question 47

Can an auditor blindly rely upon the evidence of a specialist

Answer 47

No - need to have enough knowledge to be able to understand if it seems right. Can do this through talking with the specialist, reviewing the support they used, etc.

Question 48

What should an auditor evaluate about a specialist before relying on their work

Answer 48

* Need to evaluate competence, capabilities, and objectivity of a specialist - Competence and Capability - look at education, experience, reputation, etc. - Objectivity - assess independence

Question 49

When would you/would you not refer to a specialist in an auditor's report

Answer 49

* Do not refer to specialist if: * Management's specialist * Auditor is expressing an unmodified/unqualified opinion * Refer to specialist if: - Modified opinion due to specialist's findings - Explanatory paragraph added - Helps users understand a CAM/KAM

Question 50

Are IT auditors considered specialists

Answer 50

No - their expertise is considered to be in accounting

Question 51

Do agreements with component auditors need to be written?

Answer 51

Yes

Question 52

When is a misstatement material?

Answer 52

When that misstatement (individually or in aggregate) would substantially impact the decision making of a user

Question 53

What are the benchmarks that can be used for calculating materiality?

Answer 53

* Total revenue * Gross profit * Profit before tax from continuing operations * Net assets

Question 54

What are performance materiality and tolerable misstatement and which is for issuer/nonissuer?

Answer 54

Amounts set by an auditor at nonissuer TM --> issuer

Question 55

What is a clearly trivial misstatement?

Answer 55

* Even when aggregated, wouldn't affect anything

Question 56

What is audit risk?

Answer 56

The risk that the auditor issues the wrong opinion

Question 57

What is the difference between a factual misstatement, a judgmental misstatement, and a projected misstatement?

Answer 57

1. Factual Misstatements - there is no doubt * e.g. they buy a copier that cost $5,000 and is recorded at $500 * Very objective 2. Judgmental Misstatements * Arise from differences in judgement * E.g. management has their estimate for AFDA and the auditor disagrees 3. Projected Misstatements - Auditor comes up with their best estimate of a misstatement in a sample and projects it to the population

Question 58

In the formula audit risk = RMM * Detection risk, what are the two types of risk that make up RMM and what do they mean?

Answer 58

Inherent Risk - the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a material misstatement, before any consideration of related controls Control Risk - risk that the client's internal controls don't catch or prevent a material misstatement

Question 59

What are the 5 things inherent risk is based upon?

Answer 59

1. Complexity * The more complex a calculation or business transaction is, the more likely that the account or disclosures will be incorrect 2. Subjectivity * Something is subject to opinion (e.g. choosing depreciation or valuation method) 3. Change * When there is change, there is a higher likelihood that something will go wrong * E.g. application of new accounting principles, expansion 4. Uncertainty * Anything that is outstanding (e.g. warranties, legal claims) 5. Management bias or other fraud risk factors - e.g. transactions not at arms-length

Question 60

When would IR be assessed as high vs low? *MUST KNOW

Answer 60

* High risk: * High-volume, unique, or individually significant transaction * Complex or subjective calculations * Amounts derived from estimates * Cash (companies that deal with a lot of cash) * Other factors that increase IR: * When things aren't going well for the company * Technology that renders a product obsolete * Lack of working capital * Decline in overall industry or economy * Low risk: - If the account is not likely to contain a material misstatement

Question 61

When is control risk assessed as high vs low? What are the implications on the amount of testing the auditor needs to perform?

Answer 61

Low if client has effective internal controls that the auditor can rely on * Auditor needs to test the controls to confirm their operating effectiveness * Allows for a reduced amount of substantive testing Control risk is high if (NEED TO MEMORIZE) - There are no effective controls - Implemented controls aren't operating effectively - Sufficient, appropriate audit evidence can only be obtained through substantive testing Auditor needs to perform more thorough testing b/c they cannot be relied on

Question 62

What is detection risk? Can detection risk ever be eliminated completely? What is the relationship between detection risk and RMM?

Answer 62

What is detection risk? - risk that the auditor won't detect a material misstatement - function of our audit test work Can detection risk ever be eliminated completely? - no, some amount will always exist b/c we can't issue absolute assurance What is the relationship between detection risk and RMM? * Detection risk and RoMM have an inverse relationship * High RoMM --> set low DR * Low RoMM --> set high DR ○ Level of RoMM determines the level of DR ○ Logically, if you think the likelihood of RoMM is higher, you need your DR to be lower meaning you catch more stuff

Question 63

What are the 3 ways an auditor controls detection risk?

Answer 63

1. Nature - change the nature of substantive tests (from less effective to more effective) 2. Extent - change the extent of substantive testing performed 3. Timing - change the timing (e.g. perform at YE instead of interim)

Question 64

Can the auditor decrease IR/CR based on their procedures? What about DR?

Answer 64

- can't do anything about IR/CR, these depend on the client's systems of operations - you can change your assessment of them throughout the audit, but nothing you do will change the actual levels - DR is raised/lowered depending on the NET of your procedures

Question 65

What are the steps to assessing audit risk?

Answer 65

Step 1: Determine AR * Usually set at a low risk b/c nobody wants to get sued * If a question doesn't tell you the AR, assume it's low Step 2: Assess IR * High if accounts are likely to contain a RMM ○ Low if vice versa Step 3: Assess Control Risk * 3 ways CR is high ○ Note: if CR is high, RMM will always be high * If CR is low, then test controls Step 4: Detection Risk - Based on the assessed levels of IR and CR - Based on the ratio (AR/(IR∗CR)), we know that as RMM increases, DR decreases

Question 66

What is the difference between fraud and error?

Answer 66

Fraud - intentional Error - unintentional

Question 67

What are the types of fraud?

Answer 67

1. Fraudulent Financial Reporting (lying) * Intentional misstatements/omissions of amounts disclosed in the FS * Trying to deceive users of FS * Including: ○ Manipulation, falsification, or alteration ○ Misrepresentation or intentional omission ○ Intentional misapplication of accounting principles * Usually done by management - they have the technical knowledge to do it 2. Misappropriation of Assets (stealing) * Theft of assets ○ Some steals assets or pays for something not received * Can be done by anyone

Question 68

What are the 3 conditions for fraud?

Answer 68

1. Incentives/Pressures * Person committing fraud has a reason to commit (e.g. trying to get bonus or tough management) 2. Opportunity * Lack of effective controls 3. Rationalization/Attitude - Justify their fraudulent behavior somehow

Question 69

What are each party's responsibilities in relation to fraud?

Answer 69

Management's Responsibility * D&I of controls to prevent, deter, and detect fraud Auditor's Responsibility - Plan and perform the audit to obtain reasonable assurance - Specifically assess RMM due to fraud and identify higher risk areas - Continue to assess fraud throughout the audit

Question 70

What is the ET's responsibility in relation to discussing fraud?

Answer 70

* MUST have a discussion of fraud with the entire audit team * Brainstorm regarding: 1. What areas might be high risk for fraud 2. How management could hide fraud 3. How assets could be misappropriated 4. Emphasize professional skepticism

Question 71

What are the 3 ways that the ET obtains information regarding fraud?

Answer 71

1. Inquire of Entity Management * E.g. operating personnel, legal counsel, IA, TCWG 2. Consider Results of Analytical Procedures * Planning Phase - analytical procedures over revenue ○ Make sure growth in revenue makes sense 3. Evaluate Fraud Risk Factors - Lack of observation of any 3 doesn't mean there was no fraud

Question 72

What are the 3 ways that the auditor tries to respond and address risks?

Answer 72

1. Overall, General Response * Assign experienced personnel * Determine appropriate supervision * Vary audit procedures * Evaluate management selection of principles 2. Specific Procedures (NET) * Can vary the: ○ Nature ○ Audit ○ Timing 3. Risk of Management Override - Look at nonstandard/unusual entries - Review entries for bias - Review unusual transactions

Question 73

What are the documentation requirements around fraud?

Answer 73

Documentation should include: * Fraud risk assessment * Response * Discussion among engagement personnel * What auditor identified as riskier areas * If the auditor didn't want to identify fraud identified, explain why

Question 74

Who should the auditor tell about indications of fraud?

Answer 74

* Any indication of fraud --> discuss with a level of management one above those involved * Fraud that causes a material misstatement --> discuss with client's senior management and report directly to TCWG * If fraud relates to client's senior management --> tell TCWG * Risk factors representing a material weakness or significant deficiency --> tell client's management and TCWG