Quiz 3

Question 1

Who designs and maintains a system of internal control?

Answer 1

Management

Question 2

Internal control

Answer 2

The method by which a company’s Board of Directors, management, and other employees provide reasonable assurance.

Question 3

*Good internal control helps to achieve the following objectives:

Answer 3

-RELIABILITY OF FINANCIAL STATEMENTS
-Effectiveness and efficiency of operations
-Compliance with laws and regulations

Question 4

What kind of assurance does internal control provide

Answer 4

Reasonable Assurance

Question 5

Internal control assessment impacts the amount of

Answer 5

Substantive evidence required

Question 6

Auditor is most concerned with internal controls that pertain to

Answer 6

the preparation of external financial statements.

Question 7

COSO

Answer 7

A committee designed to help businesses establish, assess, and enhance their internal control.

Question 8

COSO components of internal control:

Answer 8

-Control Environment
-Risk Assessment
-Control Activities
-Information and Communication
-Monitoring activities

Question 9

*Control Environment

Answer 9

Sets the tone of an organization influencing control consciousness of its people. AKA does management take internal controls seriously. “TONE AT THE TOP”

Question 10

Risk Assessment

Answer 10

Management identifies its riskiest areas and implements controls to prevent, or detect errors/fraud that could result in material misstatement.

Question 11

Control Activities

Answer 11

The policies, procedures, techniques, and mechanisms that help ensure that management’s response to reduce risks identified during the risk assessment process is carried out.

Question 12

Information and communication

Answer 12

How organization obtains or generates and uses RELEVANT, QUALITY information to support the functioning of other parts of internal control.

Question 13

Monitoring Activities

Answer 13

Intended to assess the quality of internal control performance over time. Separate evaluations, ongoing monitoring, report deficiencies.

Question 14

What direct relationship exists in the COSO Framework?

Answer 14

Relationship between objectives (strive to do), components (what the entity needs to do to achieve objectives), and the structure of the company (operating units, legal entities)

Question 15

4 types of control activities:

Answer 15

-Segregation of duties
-Information processing controls
-Physical controls
-Independent checks

Question 16

Information processing controls (Definition of General and Application Controls)

Answer 16

General controls – relate to overall information processing environment and include controls over date center and network operations; software acquisition, development
and maintenance

Applications controls – apply to the processing of individual applications and help ensue occurrence, completeness and accuracy of the transaction processing

Question 17

Physical controls examples

Answer 17

Fences, safes, locks, security monitoring system, authorization requirements for access to computer programs and data files.

Question 18

After obtaining and understanding, of the entity’s internal controls,

Answer 18

The auditor decides whether to RELY or NOT RELY on client’s Internal structure

Question 19

*Reliance Strategy

Answer 19

Auditor will rely on internal controls, will test effectiveness of controls. If they are effective, won’t have to do as much testing

Question 20

*Substantive Strategy

Answer 20

Auditor does not rely on internal controls. Auditor will use substantive procedures as main source of evidence about assertions. Will involve more testing.

Question 21

*Walkthrough

Answer 21

A procedure where auditors trace a transaction from its origin through an organization’s processes and systems to its final recording in financial records, to assess the effectiveness of internal controls.

Question 22

To set control risk below HIGH, the auditor must

Answer 22

-Identify specific controls that will be relied upon
-Perform specific tests of the identified controls
-Conclude on the achieved level of control risk given results of testing.

Question 23

Effectiveness of design

Answer 23

Is control designed suitably to prevent, or detect/correct misstatement.

Question 24

Effectiveness of operation

Answer 24

“does the control work” –applied properly, consistently and who performs it.

Question 25

Low Detection Risk Strategy

Answer 25

RMM is set high AR = High RMM x Low DR = Higher and more extensive substantive testing. Year end

Question 26

High Detection Risk Strategy

Answer 26

RMM is set low AR = Low RMM x High DR = Less and less extensive substantive testing. Interim and year end

Question 27

*SOC 1 Type 1 Report

Answer 27

Describes the service company’s controls and assesses whether they are suitably designed to achieve specified internal control objective Helps auditor understand controls / where and how to test Specific point in time

Question 28

*SOC 1 Type 2 Report

Answer 28

Type 1 + provides assurance on the operating effectiveness of the service company’s controls based on the auditor’s tests of controls Over a specified period (usually 6 to 12 months)

Question 29

*Important difference between SOC 1 Type 1 and 2:

Answer 29

An auditor may reduce control risk below high only on the basis of a Type 2 report

Question 30

3 Different levels of deficiency ranked from Least to Most impactful:

Answer 30

1. Control deficiency 2. Significant deficiency 3. Material weakness

Question 31

*SOX 404

Answer 31

Requires managemnt of publicly traded companies to issue a report that accepts responsibility for establishing and maintaining an adequate ICFR, and assert whether ICFR is effective “AS OF” the end of the fiscal year

Question 32

To form an opinion of the effectiveness of ICFR, the auditor must

Answer 32

Plan and perform the audit to obtain reasonable assurance about whether the entity maintained, in all material respects, effective internal control as of the date specified in management’s assessment

Question 33

ICFR

Answer 33

A process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP

Question 34

Control Deficiency

Answer 34

Exists when the design or operation of a control does not allow management (or employees), in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Question 35

Significant Deficiency

Answer 35

A control deficiency or combination of control deficiencies in ICFR that is less than a material weakness yet important enough to merit attention by those responsible for the oversight of the entity’s financial reporting.

Question 36

Material Weakness

Answer 36

A deficiency or combination of deficiencies in ICFR so that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis

Question 37

Main focus of ICFR

Answer 37

To detect Material Weakness [We hunt for BIG GAME]

Question 38

When judging the significance of a control deficiency, the auditor must consider two dimensions: list and define

Answer 38

Likelihood = is deficiency reasonably possible Magnitude = is deficiency material, significant or insignificant (BASED ON MATERIALITY)

Question 39

Management's 3 step top-down evaluation approach:

Answer 39

1. Identify financial reporting risks and related controls. 2. Consider which locations to include in assessment. 3. Evaluate evidence regarding the operating effectiveness of ICFR.

Question 40

Most entities use what framework for ICFR Assessment?

Answer 40

Framework developed by COSO

Question 41

Entity level controls

Answer 41

Controls that have a pervasive effect on the entity's system of internal control.

Question 42

Entity level controls benefits:

Answer 42

-Lower the risk that transaction controls may fail due to employees/communication/culture -Lower the risk of fraud -Lower the risk of significant impact caused by control failure -Reduce the level of effort associated with transaction controls

Question 43

*Management needs to evaluate the severity of the control deficiencies based on:

Answer 43

Likelihood and Magnitude

Question 44

*If material weakness assessed, management must disclose the material weakness in its report on ICFR which should include:

Answer 44

-Nature of material weakness -Its impact on the entity’s financial reporting and ICFR -Management’s current plan to remediate the material weakness

Question 45

Integrated audit approach

Answer 45

Auditor combines audits of internal control and financial statements.

Question 46

*If one or more "material weaknesses" exist

Answer 46

then ICFR can not be considered effective ONLY TAKES ON MATERIAL WEAKNESS = ADVERSE OPINION

Question 47

*Auditor not required to search for deficiencies that are

Answer 47

less severe than "Material weakness" Searching for BIG FISH

Question 48

Two entity level controls that the auditor must specifically evaluate:

Answer 48

1. Control Environment 2. Period-End Financial Reporting Process

Question 49

Relevant assertions

Answer 49

Financial statement assertions that have possibility of containing a misstatement that would cause the financial statements to be materially misstated

Question 50

What is often the best way to identify potential sources of misstatement?

Answer 50

Walkthroughs

Question 51

Key Controls

Answer 51

Only the controls that are important to the auditor's conclusion on ICFR that address risk of misstatement to each relevant assertion. Only controls that need to be tested

Question 52

Prevent Control

Answer 52

Designed to prevent error before it occurs

Question 53

Detect control

Answer 53

Designed to find errors (detect and correct)

Question 54

Manual, higher frequency, higher importance of a control =

Answer 54

More testing of the control.

Question 55

Auditors evaluate the severity of each control deficiency based on:

Answer 55

1. Likelihood: reasonable possibility the control will fail to prevent or detect a misstatement 2. Magnitude: significance of failure, significance of the potential misstatement (think materiality, would it be a MM)

Question 56

What to do if there is a material weakness

Answer 56

Company should remediate/ correct it. Must be re-tested before the "As-of" date

Question 57

Scope Limitation

Answer 57

Management’s failure to provide written representations specific to the audit of ICFR to the Auditor

Question 58

*Different opinions for ICFR:

Answer 58

Unqualified Opinion- No Material Weaknesses (Control and Significant Deficiencies allowed) Adverse Opinion- A Material Weakness identified Disclaimer Opinion- Issued due to serious (more than minor) scope limitation NO QUALIFIED OPINIONS

Question 59

Audit Sampling objective

Answer 59

To achieve a REASONABLE BASIS for the auditor to draw conclusions about the population from which the sample is selected.

Question 60

Audit Standards recognize and permit the use of

Answer 60

Non-statisical sampling (Judgemental Sampling) and Statistical Sampling

Question 61

Statistical Sampling

Answer 61

We use statistics to compute sample size and evaluate results

Question 62

Non-Statistical sampling

Answer 62

Does not follow strict statistical techniques to determine sample size, sample selection, and evaluation of results. Relies more on auditor's professional JUDGEMENT

Question 63

Sampling

Answer 63

The selection and evaluation of less than 100% of the population of audit relevance selected in such a way that the auditor expects the items selected to be representative of the population

Question 64

Representative sample

Answer 64

A small quantity of something that accurately reflects the larger population

Question 65

Sampling Risk

Answer 65

The risk that the sample may not be truly representative of the population AKA Non-Representative Sample

Question 66

Non-Sampling Risk

Answer 66

Refers to any other mistakes by the auditor (human error)

Question 67

Detection risk =

Answer 67

Sampling risk + non-sampling risk

Question 68

*Type 1 Audit Sampling Error

Answer 68

Auditor concludes IC not working effectively when they are working. Risk assessing control risk as TOO HIGH These errors are OKAY, but lead to more testing than needed and an inefficient audit

Question 69

Type 2 Audit Sampling Error

Answer 69

Auditor concludes IC is working when they, in truth, ARE NOT working Risk of assessing control risk TOO LOW Potentially severe consequences such as audit failure.

Question 70

Sample size designs by auditors are designed to guard against

Answer 70

Type 2 errors

Question 71

Random Number Selection

Answer 71

Every item in the population has the same probability of being selected as every other sampling unit in the population

Question 72

Systematic Selection

Answer 72

The auditor determines a sampling interval by dividing the population by the sample size. A starting number is randomly selected in the first interval and then every nth item is selected

Question 73

Haphazard sampling

Answer 73

Involves selecting items from a population without consideration to know characteristics of items in the population

Question 74

Block Sampling

Answer 74

Involves selecting items from the population in contiguous groups (or blocks)

Question 75

Judgmental Selection

Answer 75

Auditor chooses items based on judgement.

Question 76

Confidence Level

Answer 76

The probability that the value of a parameter falls within a specified range of values (think presidential polling)

Question 77

Increase in sample size =

Answer 77

Increased confidence, Lower the sampling risk

Question 78

Decrease in sample size =

Answer 78

Lower confidence, increase sampling risk

Question 79

If 90% confidence, sampling risk is

Answer 79

10%

Question 80

Tolerable Error / Tolerable Deviation Rate

Answer 80

The highest deviation rate the auditor could accept and still conclude that the internal control is still effective

Question 81

Expected Error / Expected Deviation Rate

Answer 81

How much deviation the auditor expects

Question 82

As Tolerable Error increases

Answer 82

Sample Size decreases

Question 83

As Expected Error increases

Answer 83

Sample size increases

Question 84

Allowance for sampling risk =

Answer 84

Tolerable Error - Expected Error "CUSHION"

Question 85

As allowance for sampling risk decreases,

Answer 85

Sample size increases

Question 86

What is the impact of Population size on sample size?

Answer 86

Little to none

Question 87

What is a deviation in sampling?

Answer 87

Auditor unable to examine a sample item. Too many and the auditor will stop testing

Question 88

When it comes to sampling deviations, auditor should investigate:

Answer 88

1. Nature/cause of deviation – is it an unintentional error or fraud (is important) 2. Consider how do the deviations impact other phases of the audit

Question 89

Attribute Sampling

Answer 89

Used to estimate the proportion of a population that possesses a specified characteristic

Question 90

Data Analytics

Answer 90

Process of cleaning, transforming and modeling data with the goal of discovering useful information, in forming conclusions, and supporting decision making

Question 91

Big Data

Answer 91

Datasets that are too large and complex for businesses’ existing systems to handle using their traditional capabilities to capture, store, manage and analyze these data sets

Question 92

Volume

Answer 92

Sheer amount of data regardless of source

Question 93

Velocity

Answer 93

The speed of data is being generated or the rate data is being analyzed

Question 94

Veracity

Answer 94

Refers to unstructured and unprocessed data

Question 95

Variety

Answer 95

The quality of data

Question 96

Two important limiting factors when dealing with Big Data:

Answer 96

Storage – many companies now use cloud platform to lower the cost of storage Processing power – the processing power required to obtain information valuable to the company could be enormous or even impossible

Question 97

ETL

Answer 97

Extract, transform and load the data

Question 98

Two applications for data analytics in accounting:

Answer 98

1 Key performance indicators – critical measures from an organization’s strategy 2. Audit data analytics (ADA) – process of “discovering and analyzing patterns, identifying anomalies, and extracting useful information in data.... For the purpose of planning or performing the audit

Question 99

AICPA 5-step process for Data Analytics

Answer 99

1. Plan the ADA (Audit Data Analytics) 2. Access and prepare the data for purposes of AD 3. Consider relevance and reliability of the data 4. Perform the ADA 5. Evaluate results and conclude

Question 100

In its assessment of ICFR, a publicly traded company identified a material weakness, what is its reporting responsibility (what disclosures are required to be reported by management)?

Answer 100

A publicly traded company that identifies a material weakness (at it as of date) in its Internal Control over Financial Reporting (ICFR) is required to disclose the material weakness in a written report included int its annual financial statement filing (10-k filing). The disclosure should include the following a. Nature of material weakness – explain the material weakness (what is it) b. The impact of the material weakness on the company’s financial reporting and ICFR c. Management’s current plan to remediate the material weakness