Chapter 9 Flashcards
(100 cards)
1
Q
All audit process steps (7)
A
- Client acceptance
- Audit planning
- Assess RMM
- Develop risk response
- Perform risk response
- Conclusion
- Reporting
2
Q
Risk Assessment Procedures (2)
A
- Understand entity and environment
- Obtain evidence on design and implementation of controls
3
Q
Auditor goals in risk assessment (2)
A
- Understand internal controls
- Evaluate components of the system of internal control
4
Q
Type of risk assessment procedures (6)
A
- Inspection
- Inquiry
- Examination
- Observation
- Information system walkthrough
- Understanding IT general controls
5
Q
Documenting the System of Internal Control (3)
A
- Narrative
- Flowchart
- Internal control questionnaire
6
Q
Narrative written description of a client’s internal control areas (4)
A
- The origin of every doc & rec in the system
- All processing that takes place
- The disposition of every document and record in the system
- Key control relevant to control risk assessment (separation of duties, authorization and approval, and verification)
7
Q
Flowchart (3)
A
- Symbolic/diagrammatic representation of the client’s doc
- Include the same 4 characteristics as narratives
- Helps identify inadequacies with a clear understanding of how the system operates
8
Q
Internal Control Questionnaire (2)
A
- Questions about control in each audit area, including control environment
- Yes/no response
9
Q
Flowchart advantage
A
Easy to read and update compared to narratives
10
Q
Internal control questionnaire disadvantages (2)
A
- No overview of the system
- Bias from poor design
11
Q
Which documenting strategies work well together?
A
Flowchart & questionnaire
12
Q
Why evaluate system of internal control?
A
To evaluate the strengths and weaknesses of the system
13
Q
How to test effectiveness of strong control?
A
Effective if it minimize RMM of transaction, balance, disclosure, and assertions
14
Q
What to do if there is no control test
A
Gather evidence to support understanding of internal control
15
Q
Consideration when deciding to rely on controls (2)
A
- Will it improve audit efficiency?
- Is it necessary? (Because of automated transactions)
16
Q
What do to when identifying a control deficiency?
A
Identify RMM and adjust RR at overall assertion level
17
Q
What happens when auditor concludes that substantive procedures are not enough?
A
Consider modifying opinion due to scope limitation
18
Q
Levels of absence of internal control (3)
A
- Control deficiency
- Significant deficiency
- Material weakness
19
Q
Control deficiency
A
Misstatement are not detected/corrected on a timely basis
20
Q
Control deficiency component (2)
A
- Design deficiency
- Operation deficiency
21
Q
Design deficiency
A
Missing or poorly designed controls
22
Q
Operation deficiency
A
Well designed but not well operated by a person
23
Q
Significant deficiency
A
Important control deficiencies
24
Q
Significant deficiency components (4)
A
- Fraud
- Uncorrected communicated deficiencies by the auditor
- Management’s failure to respond to significant risk
- Restatement of previously issued FS
25
Material weakness
Deficiencies that makes MM less detectable by internal control on a timely basis
26
Compensating controls
Control elsewhere in the system that offsets a weakness
27
Can any control be a compensating control?
Yes
28
How do we know when a control problem change from 1 type to another?
Judgement call
29
Are small company materially weak?
Yes, but it doesn't mean that they are are MM, they don't have enough resources
30
Focus of Risk Assessment Procedures (3)
- Control environment
- Risk assessment
- Monitoring
31
Control environment (3)
- Are management and governance honest?
- Provide a foundation for other component
- See if control def undermine
32
Risk Assessment
Is it appropriate considering the nature and complexity of the org?
33
Monitoring
Is it appropriate considering the nature and complexity of the org?
34
Auditor evaluation of information system (3)
- Understand how business process initiate
- Authorize and records transaction
- Evaluate design of relevant control and their implementation
35
Control activities evaluation
To understand which control to consider
36
Control activities considerations (2)
- "What can go wrong"
- Whether the control activity addresses the related assertions
37
Which controls need to be understood and evaluated? (4)
- Controls that address significant risk
- Controls over journal entries
- Control that auditor plans to test operating effectiveness
- Controls related to reconciliation
38
Control matrix
- Help auditor assess how different controls prevents or detect misstatement
- Useful to identify multiple relationship between controls and assertions
39
Why is it a problem for auditor whenever controls are on cloud computing or outsourced systems?
It's difficult to evaluate when it comes from an independent entreprise
40
Solution to cloud computing / outsourced system for auditor
Understand the service center controls depending on the complexity, particularly if processing significant financial data
41
Service auditor report (SAR)
Provide guidance and uniformity in the way service provider to their disclosures
42
SAR purpose (2)
- Provide assurance on adequacy of service center
- Reduce redundant audit
43
Types of SAR reports
- Suitability of the design of control
- Suitability of the design operating effectiveness of controls
44
Type 1 SAR report
Help auditor to understand internal controls to plan the audit
45
Type 2 SAR
- Help auditor with evidence (mostly from test on controls)
46
What to do if auditor relies on SAR
Make appropriate inquiries on service auditor's reputation
47
Other Consideration in Evaluating Control Activities (3)
- Everyone has IT general controls
- Degree of which they are formalized depends on the complexity of the IT environment
- When a client has complex IT, need to assess if the audit team has the skills to perform the audit
48
Control risk assessment (3)
- To assess the design and implementation of controls relevant to the audit
- Focus on control in control activities
- Need to check effectiveness of IT general controls
49
Preliminary Control Risk Assessment
Expectation based on design and implementation of control activities
50
Audit approaches (3)
- Test of control only
- Substantive procedure only
- Combined approach
51
How to decide on which approach to take?
- Never do test of control only
- Substantive procedure only if controls are bad
- Combined approach if controls are good and cost effective
52
Emerging tech in control risk assessment impact
Way we obtain relevant info to support internal control system
53
Tech in risk assessment considerations (3)
- Understand the direct and indirect effects of new tech
- Understand how new tech impacts the flow of transactions
- Assess the appropriateness of the management's processes related to the new tech
54
Internet of Things (IoT)
Connecting Wi-fi device to the internet
55
Application programming interface (API)
"Glue" that connect IoT to company application so that data can be analyzed
56
IoT & API purpose
Manage processes
57
How do IoT & API improve the accounting system
Perform real-time transaction and monitoring, which reduce the need for reconciliation
58
IoT weakness
Can increase risk of corporate espionage and hacking attack
59
How to secure API
Use strict access controls
60
IoT & API impact on audit (3)
- Less reliance on manual controls
- Training required to evaluate automated controls
- Need to evaluate access controls and new service providers
61
Smart contract
Automated transactions without 3rd parties (ex: banks)
62
Blockchain
Distributed digital ledger which certain computer/nodes are granted access
63
Smart contract & blockchain relation
Blockchain tech is necessary for smart contracts
64
Smart contract & blockchain advantages (4)
- Faster
- Cheaper
- Less errors
- Minimize theft and fraud
65
SC&BC disadvantages (4)
- Coding error
- Interpretation error
- Handoff risk
- High energy requirement
66
Who use SC&BC?
Early adopters
67
SC&BC impact on audit (4)
- Understand the impacts on assessment of internal control
- New key concerns: reliability, accuracy, and completeness
- Need to understand process
- Need to focus on potential blockchain manipulation
68
When are ML and AI used
When performing routine tasks (classification & transaction)
69
ML & AI advantage
Can detect transaction with high fraud risk
70
ML & AI disadvantages (3)
- Algorithmic bias
- Poorly designed algorithm
- Security & change management risk
71
ML & AI impact on audit (2)
- Incorporation into risk assessment
- Potential difficulties with addressing the risk of negative impact from biased data
72
Purpose of Tests of Controls
To see if control actually work (prevent, detect, correct misstatement)
73
Which controls to test?
Those that prevent, detect and correct misstatements
74
Characteristics of effective controls (3)
- Well designed
- Being used
- Operate reliably throughout the period
75
What else to take into consideration when doing tests of controls
Efficiency and effectiveness
76
Designing tests of control
- How the controls are applied
- How often are they applied
- Who applies them
77
Inquiries in test of control
Not reliable alone, but still necessary
78
Observation in test of control
When control activities have no evidence trail
79
Reperformance in test of control
When documents and record are not sufficient assess controls' effectiveness
80
Test data approach
Reperformance of controls though processing the auditor's test data on the client's computer system and application program
81
ATT in test of control (2)
- Use generalized audit software (GAS)
- Use data analytics
82
- Tests of Controls vs. Risk Assessment Procedures
- RAP: examine few transaction and maybe observe at one point in time
- Tests of Controls: larger sample (more examination and observation )
83
Extent of Control Tests (2)
- Use a combination of procedures
- More reliance on effectiveness of controls --> more persuasive evidence
84
Frequency of Control Operation (2)
- Can test for control at the different frequencies than normal
- Manual or automated?
85
Expected Rate of Deviation (4)
- Test controls with sample
- If sample increase, expected rate increase
- Size of sample important
- Automated control --> low expected rate
86
Rotational Testing
Test specific controls every 3 years
87
Rotational testing: what to do if a key control changed
Test it in the current year
88
Do we test all controls every 3 years?
No, separate them on 3 years
89
What to do if controls are significant risks?
3 year rule doesn't apply, they will be tested every year
90
Evidence from Other Tests
Test several different control for 1 assertion
91
What to do when there is a change in IT system?
New system needs to be documented and evaluated
92
When to do risk assessment when changing IT system?
In the case of data conversion
93
When can auditor rely on controls of new IT system?
If the implementation process is well done (the new controls are good)
94
What to do if the new controls are not good?
Need to construct substantive tests (conversion audit)
95
Conversion audit (3)
- Test comparative details of new with the old
- Test comparative detail of old with new
- Cutoff testing
96
To who does auditor communicate deficiencies and material weakness?
Those charged with governance
97
To who communicate significant control deficiencies?
Audit committee or equivalent (BOD, owner, manager)
98
Where are communication on internal controls written? (2)
- Year-end report
- Internal control letter
99
What is included in the management letter?
Observed less significant internal control-related matters
100
Reporting on Internal Controls for Some Public Companies (2)
- Report on management's assessment of internal control in addition to opinion on FS
- Required from the Sarbanes-Oxley Act
