Flashcards in Internal control II Deck (21):
During the planning phase of the audit, the auditor obtains an understanding of the internal control system by considering
1. the types of misstatements that may occur
2. the risk that misstatement may occur
3. factors that influence the design of tests of control and substantive tests
4. the assessment of inherent risk
5. judgments about materiality
6.the complexity and sophistication of the entity's operation and systems.
7. the use of manual vs. computerized control procedures.
Assessing risk based on the effective operation of control invloves
1. identifying specific internal controls relevant to specific assertions that are likely to prevent or detect material misstatement in those assertion
2. performing tests of such controls to evaluate effectiveness.
1. Risk assessment procedures MUST be performed to assess the risk of material misstatement and to determine whether and to what extent further audit procedures are necessary.
2. the planning process and the overall review stage of the audit MUST include application of analytical procedures.
3. Tests of the the operating effectiveness of control, are ONLY performed when auditor's risk assessment is based on the assumption that control are operating effectiveness or when substantive procedures alone are insufficient.
When an auditor assess control risk maximum level
The assessment should be DOCUMENTED and the auditor should make decision to potentially perform MORE substantive procedures.
An account does NOT change much from year to year is reasonable PREDICTABLE with respect to amount, relative significant, and composition, making it a prime candidate for interim testing (before the balance day vs. close to balance date)
Given a high level of RMM, the auditor would need to reduce detection risk, performing tests at interim date would INCREASE detection risk.
Overall response to F.S level risk, the auditor should
a. communicate to the audit team an increased need for professional skepticism
b. assign staff with more experience or specialized skills
c. increase the level of supervision
d. incorporate a greater level of unpredictability into the audit
f. make pervasive changes to the nature, extent or timing of tests, such as shifting substantive procedures closer to period end.
During an audit of F.S, an auditor should perform tests of control to obtain sufficient appropriate audit evidence about the operating EFFECTIVENESS of relevant controls if
1. the auditor's risk assessment is based on the assumption that controls are operating effectively
2. substantive procedures alone are insufficient.
Substantive procedures include:
1. test of details
2. substantive analytical procedures.
If interim substantive procedures for an account identified no exceptions, the auditor would NOT perform tests of details for the entire year under audit at year end. (only the period since the interim testing date will be tested or influenced)
The auditor should be designed to identify material misstatement DUE TO acts of noncompliance with laws and regualtion
But acts of noncompliance with laws and regulations are relate to OPERATING ASPECTS rather than accounting aspects MAY NOT directly affect the F.S, and therefore they may be less likely to be discovered by the auditor.
If specific info comes to auditor's attention that implies the existence of possible acts of noncompliance with law and regulations that could have A MATERIAL, BUT INDIRECT EFFECT on the F.S, the auditor should
Apply audit procedures specifically directed to ASCERTAINING whether an act of noncompliance with laws and regulations has occurred.
The auditor should obtain an understanding of the situation in order to evaluate the effect on the F.S, inquiry of management at a level above those involved, consult legal counsel, and consider applying additional procedures if necessary.
Regarding accounting info system, the auditor should obtain an understanding of
1. the class of transactions that are significant to the F.S
2.Accounting processing, from initiation of a transaction to inclusion in the F.S
3. The accounting record, supporting info, and specific accounts involved in initiating, authorizing, recording, processing and reporting transaction
4. The way in which other significant events and condition are captured by the system
5. The financial reporting system, including the development of significant accounting estimate and the inclusion of appropriate disclosure.
Info that may raise a question concerning possible noncompliance with laws and regulation include usually large payments made to
3.purchase cashier checks
4. transfer fund to numbered account.
An entity's risk assessment DIFFER FROM an auditor's assessment of audit risk
The entity is concerned with managing risks that affect entity objectives whereas the auditor is concerned with the risk that material misstatement could occur in the F.S.
Before performing substantive tests at an interim date, an auditor should consider
Whether the amount of the year-end balances selected for interim testing are reasonably predictable with respect to amount, relative significance and composition.
A engagement letter, which is a presumptively mandatory requirement, sets forth the scope and nature of an auditor's CONTRACTUAL OBLIGATION to a client.
The scope and introductory paragraphs of the auditor's report do provide some info regarding the work performed by the auditor, but they do not express the auditor's understanding with the client AS COMPLETELY AS does an engagement letter.
Monitoring is the process of assessing the quality of internal control performance over time and taking necessary corrective actions
Assessing info derived from external parties such as customer complaint and regulator comments in INCLUDED in the monitor process.
Eliminating controls that are not operating effectively is NOT included in monitor process.
The auditor should obtain an understanding of client accounting methodoloyg because
It affects the design of internal control.
Service auditor report(Type 1 report)
Report on management's description of the service organization's system and the suitability of the design of control.
Type 1 does NOT provide the user CPA with a basis for reducing the assessment of control risk
Type 2 report
Report on management's description of the service organization's system and the suitability of the design and operating effectiveness of control.
Type 2 MAY provide evidence that would allow a reduction in the assessed level of control risk.
Engagement is a business matter between the client and the predecessor auditor that has no impact on the successor's audit
Hence, it it NOT appropriate for the successor auditor to request a review of the predecessor's engagement letter.
The USER auditor should NOT make reference to the report of the service auditor as a basis, in part, for his own opinion on the user organization's F.S
Since the service auditor is NOT responsible for the examination of any part of the user organization's F.S, a division of responsibility would be inappropriate.