Actg 460 Midterm 2 Study Guide PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This study guide covers the basics of internal control, emphasizing the importance of internal controls in achieving organizational objectives, protecting assets, and ensuring reliable financial reporting. It also discusses the concept of audit risk, with a focus on the components of a substantive and reliance strategy and the nature of the assertions.
Full Transcript
# Actg 460 Midterm #2 Study Guide ## Chapter 6 ### Basics of Internal Control - Internal Control - Process designed to provide reasonable assurance regarding the achievement of objectives related to: - Operations - Reporting - Compliance - Protects assets from being...
# Actg 460 Midterm #2 Study Guide ## Chapter 6 ### Basics of Internal Control - Internal Control - Process designed to provide reasonable assurance regarding the achievement of objectives related to: - Operations - Reporting - Compliance - Protects assets from being stolen / misappropriated. - Ensures reliability of information and financial reporting. - Why do auditors need to assess internal controls? - Must obtain an understanding of entity's internal controls to help identify types of misstatements likely to occur and assess the risk of fraud in the financial statement audit. - Influences the audit strategy at the assertion level. ### Controls Relevant to an Audit - Entity level internal controls - controls at organizational level - financial statement - Examples: Most of COSO framework: - Control Environment - Information and communication - Monitoring - Risk assessments - Transaction level internal controls - controls designed to prevent or detect and correct misstatements in transactions and related account balances. - Examples: - Segregation of duties - Physical control of assets - Video cameras ### Components of COSO Internal Control - Do not need to know each of the principles, just the 5 basic components and what they mean: - Control Environment - tone of organization and culture. - Risk Assessment - process of assessing risk within organization that could prevent them from achieving its objectives. - Control Activities - Actionable controls usually at the transaction level. - Information and Communication - Communication within and outside organization. - Monitoring Activities - Monitoring own system like internal audit, updating as necessary and making sure controls are working effectively. ### Limitations of Internal Control - Management override of internal control - Opportunity for higher level management to direct employees to do something or do it themselves. - Human errors or mistakes. - Collusion - people working together to do fraudulent activity at multiple levels of organization. ### Components of Audit Risk - Inherent Risk x Control Risk x Detection Risk ### Substantive Strategy v. Reliance Strategy - Substantive Strategy: When the internal control weaknesses and the risk of material misstatement is not being detected by the internal controls. - Reliance Strategy: Identifies internal control strengths, decrease control risk and less testing to do. ### Assertions - Accuracy / Valuation and Allocation - Everything recorded accurately and appropriately measured and valued. - Occurrence / Existence - Transactions that have been recorded have occured, assets, liabilities, and equity exist. - Classification - Recorded to proper accounts. - Completeness - All transactions that should have been recorded are recorded and all assets, liabilities and equity that should have been recorded are recorded, all disclosures included. - Cut-Off - Recorded in correct period. - Rights & Obligations - Entity holds or controls the right to the assets and liabilities are obligations to entity. - Authorization - Transactions are authorized. - Presentation - Compliant with GAAP and understandable. ### General Idea of Performing Tests of Controls - Why we do it: - Determine if controls are in place to determine reliance vs substantive strategy - Determine which controls we will test if we decide on reliance strategy - What does it achieve: - Provides evidence that the controls are designed and operating effectively to prevent material misstatements from occuring or detecting them and correcting it. ### Communication of Internal Control Matters - Control deficiency - when the design or operation of a control does not prevent or detect and correct misstatements. - Controls necessary to meet objective is missing - Existing control not properly designed so objective is not met - Should report to management. - Significant deficiency - deficiency or combination of them in internal control that is less severe than a material weakness. - Must report to management. - Material weakness - Deficiency or combination of them that there is a reasonable possibility that a material misstatement will not be prevented or detected and corrected. - Must report to public in the auditor's report on ICFR and management. - Can create an adverse opinion on ICFR. ### How the results of control testing will impact the nature, timing and extent of audit procedures performed. - Nature - If controls are weak, need to change the type of audit procedures they do - such as more substantive testing, more audit procedures done. - Timing - If they're weak - they will perform more procedures closer to year end. - Extent - If they're weak - increase sample size. ## Chapter 7 ### Types of Controls - Preventive vs. Detective - Preventive - Happens before or while transaction is being processed, applied to each transaction to stop errors or fraud from occurring. - Ex: Separation of duties. - Detective - Applied after a transaction takes place identifying any errors or fraud that already occurred. - Ex: IT application controls and manual follow up, reconciliation, management level reviews, performance indicators. - Manual vs. Automated - Manual - Don't rely on IT and done by staff. - Automated - Rely on IT applications or software ### Different procedures used in testing controls. - Inquiry - Observation, inspection of physical evidence, reperformance, test of software controls. ### Factors that influence the sample size and their relationship to the sample size - Level of assurance - evidence obtained from sample is representative of population. - Lower levels of assurance - smaller sample size. - Higher levels of assurance - larger sample size. - Tolerable deviation rate - Maximum rate of deviation an auditor is willing to accept and still use the planned assessed level of control risk. - Larger rate of deviation that the auditor can tolerate - smaller sample size. - Smaller rate of deviation that the auditor can tolerate - larger sample size. - Expected deviation rate - rate auditor expects controls not to function as planned. - Greater amount of difference between tolerable and expected deviation rate - the smaller the sample size. - The closer deviation rate and expected deviation rate are to each other - the larger the sample size. - Population size - Smaller population, smaller sample size. - Larger population, larger sample size. - If larger than 5,000, no effect on sample size. ### Different types of control deficiencies and how they impact the report in ICFR and who they must be reported to. - Control deficiency - When the design or operation of a control does not prevent or detect and correct misstatements: - Controls necessary to meet objective is missing - Existing control not properly designed so objective is not met - Should report to management - Significant deficiency - Deficiency or combination of them in internal control that is less severe than a material weakness: - Must report to management - Material weakness - Deficiency or combination of them that there is a reasonable possibility that a material misstatement will not be prevented or detected and corrected: - Must report to public in the auditor's report on ICFR and management. - Can create an adverse opinion on ICFR. ## Chapter 8 ### Audit Data Analytics - Risk assessment tool, tests of controls, test for balances and transactions. ### 5 step approach for planning and performing audit data analytics 1. Obtain company background and information data. 2. What is the audit problem you're trying to solve? 3. Gather information and evidence. 4. Perform the analysis and evaluate the results. 5. Draw an audit conclusion ### Steps associated with gathering and preparing data for analytics (Step 3) 1. Determine that the data is complete. - Verify that the data is the same data that is used to prepare the financial statements. - Check the numerical continuity of the data (invoice numbers, 1, 2, 3) - Does it include key elements used for analysis - unique identifiers - Is data sufficient to draw a conclusion 2. Does the data need to be cleaned? - Files with missing data - Data appropriately and consistently formatted - Must consider relevance and reliability of data used ### How are data analytics used in risk assessment? - Different types of applications (cluster, regression) - Cluster analysis - discovering groups of similar items or not similar - Regression analysis - process of estimating a prediction equation to make expectations and compare them against actual - Use of the risk analysis decision tree - If it fits the auditors expectation or not - If not, if it is an acceptable or unacceptable variation from auditor's expectation - If unacceptable, if it is a remote or reasonable possibility of aggregating to a material misstatement - Notable Items - Item that stands out from the population being analyzed and has one or more of the following characteristics for a relevant assertion - New risk of material misstatement - Higher risk of material misstatement that anticipated - Provides information useful in designing or tailoring procedures to address risks of material misstatement - Benefits and risks of data visualization - Benefits: - Help people visually compare data elements. - Generally understood by a wider audience - Communicate a lot information efficiently. - Likely to be remembered. - Risks: - Does not provide precise figures or tests of significant needed in ADA. - Remembered because it's pretty, not the message conveyed - not always appropriate. - Misleading ### How are data analytics used in substantive testing? - Uses electronic evidence to validate data and detect material misstatement. - Matching information in accounting records with information on underlying documents - Ex: Vouching or tracing - Usually used when performed tests of controls and concluded that entity has strong IT general controls, IT application controls, controls over electronic data interchange and exchange of electronic data between the client and customers/suppliers. ## Chapter 9 ### Risk response and the financial statement level - Emphasize that audit team members should maintain professional skepticism. - Assign more experienced staff to areas where there is a higher risk of material misstatement. - Provide more supervision to staff. - Include more elements of unpredictability when selecting audit procedures. - Make general changes to the nature, timing, or extent of audit procedures to obtain more persuasive evidence. ### Substantive analytical procedures - Evaluations of financial information through analysis of plausible relationships among financial and nonfinanical data. - When are they typically used? - Required at risk assessment phase and end of audit. - What are some factors in considering whether they are appropriate? - Nature of the assertion - Plausibility and predictability of the relationship - Availability and reliability of data used to develop the expectation - Sources of data, controls over data, testing of data and comparability of data. - Precision of the expectation ### Tests of details - When do we use ADA vs. sampling? - When do we use ADA? - Evidence to support audit test is available in electronic form. - Audit population is large and tests are supported by reliable and relevant data in electronic form, making ADA efficient. - Relevant data is reliable and internal controls over the reliability of data are strong. - Relevant data is clean or can be cleaned up easily. - When do we use sampling? - Professional standards expect the auditor to perform audit procedures. - Evidence to support audit test is not in electronic form. - Audit population is small and can efficiently be testing using traditional audit methods. - Relevant data is not reliable and internal controls over reliability of data are weak. - Relevant data may be in different formats and is not easy to use. ### Considerations for performing substantive procedures at an interim date - Internal Controls - Likely perform if internal controls and control environment is effective. - Assessed risk of material misstatement - Likely to perform if it is low. - Availability of information to perform procedures - Likely to perform if information available during interim period is not readily available at year end. - Nature of substantive procedure - Likely to perform if type of procedure can be performed at interim. - Nature of the account and relevant assertion - Likely to perform if little change is expected in an account balance during period from interim to year end. - Auditors ability to perform additional procedures to cover the remaining period - Likely to perform if can do additional procedures during period after interim and after year end. ### Relationship of RMM and detection risk and the impact on the nature, timing and extent of substantive procedures - Risk of material misstatement = inherent risk x control risk - Higher RMM, lower detection risk. - Nature: Higher RMM, more extensive and detailed testing, lower RMM, less extensive tests and more analytical procedures - Timing: Higher RMM, procedures done closer to year end, lower RMM, procedures done during interim periods. - Extent: Higher RMM, larger sample size, more extensive testing, lower RMM, smaller sample size and rely on internal controls. ### Types of estimates - Forecasting - The outcome of a transaction or event required by a framework. - Determining fair value of a transaction or financial statement item to include on the financial statements and disclosure in the notes required by framework. ### Concerns about estimates - Estimate uncertainty - Likelihood estimate is hard to get under anyone's approach. - Management bias - Bias in making estimate, trying to achieve a certain number. ### How do we audit estimates? - Gain understanding of what is required by clients financial reporting framework. - Inquire with management about the process for identifying the need for accounting estimates. - Inquire about how accounting estimates are made - method of measurements, what controls are in place, assumptions used and how they are developed, any change or if there should be a change in the methods, if management has considered the effect of estimation uncertainty. ### Different types of misstatements noted during an audit - Factual - Actual error we found - Judgmental - Estimates / Disclosures, wrong accounting policy - Recognition, measurement, presentation, disclosure to be unreasonable or inappropriate. - Projected - Auditor's best estimate of the misstatement in a population based on the misstatement found in a sample from the population. ## Chapter 10 ### Why does an auditor use sampling? - Test less than 100% of the population. - Provide a reasonable basis for conclusions about the population. ### Drawbacks of sampling (not representative, etc.) - Not representative of population. - Bias. - Time consuming and expensive. - Misrepresentation of results. ### Sampling risk - Possibility that the auditor reaches an inappropriate conclusion because the sample is not representative of population. - Risk of incorrect acceptance / rejection - Risk of incorrect rejection: - Risk that the auditor concludes that there is a material misstatement when, in fact, there is not. - An increase in audit effort when it is not required means audit will be inefficient. - Risk of incorrect acceptance: - Risk that when the sample says there is no material misstatement, there is one. - Increased audit risk that the audit will be ineffective. - Worse than incorrect rejection. ### Statistical vs. non-statistical sampling - Statistical Sampling - Requires random selection of sample items. - Uses an appropriate technique to determine sample size and evaluate sample results such as the measurement of sample risk. - Allows ability to assess efficiency of our results. - Smaller samples, but harder to understand. - Non-statistical sampling - Does not use techniques to determine sample size, select the sample items or measure sampling risk. - Judgement based, no math involved, larger samples. ### Different methods in selecting a sample - Random - Sample is free from bias and every item has a equal chance of being selected. - Systematic - Dividing the number of items in population by the sample size (sampling interval) and start at item below sampling interval. - Haphazard - No use of methodical technique. - Used in non-statistical sample methods. ### How we apply non-statistical sampling to account balances - Individually significant items - Selecting the sample - Process should be unbiased - Attempt to obtain a representative sample of items - Stratification - Used to improve audit efficiency if used before random selection. - Breaking the population into groupings that have common characteristics or criteria (ex: invoices over 10,000) - Project the misstatement found in the sample to the audit population - Consider sampling risk when evaluating sample risks - Two methods to project misstatements - Ratio method - Ratio of the audit value of the sample divided by the book value of the sample. - Difference method - Adding or subtracting the projected difference between audit value and book value of each status to the book value of the stratum. ### An auditor is required to obtain sufficient understanding of each component of an entity’s internal control system to plan the audit of the entity’s financial statements and to assess control risk for the assertions embodied in the account balance, transaction class, and disclosure components of the financial statements 1. Define internal control - Process effected by entity's management, board of trustees, and other personnel to provide reasonable assurance regarding the achievement of objectives related to compliance, operations and reporting. 2. For what purpose should an auditor's understanding of the internal control components be used in planning an audit? - The auditor should understand the internal control components being used in planning an audit to assess the control risk, or the risk of material misstatement due to the internal controls or lack thereof. This can be because of deficiencies or material weaknesses in the controls. They should also know the internal controls to help them develop their audit strategy and to plan the nature, timing, and extent of audit procedures that needed to be performed to have a successful audit. 3. What are an auditor’s documentation requirements concerning an entity’s internal control system and the assessed level of control risk? - The auditor must document their understanding of the internal control system such as the 5 elements - the control environment, risk assessment, control activities, information and communication, and monitoring activities. They must also document their assessment of the control risk. They should include if there is any deficiencies or material weaknesses in their internal control system. ### Assume that you are an audit senior in charge of planning the audit of an entity that your firm has audited for the previous four years. During the audit planning meeting with the manager and partner in charge of the engagement, the partner noted that the entity recently adopted an IT-based accounting system to replace its manual system. The manager and partner have limited experience with IT-based accounting systems and are relying on you to help them understand the audit implications of the entity’s change. Consequently, they have asked you to respond to a few concerns regarding automated accounting systems. 1. In previous years, the audit firm has relied heavily on substantive procedures as a source of audit evidence for this entity. Given that the entity now has changed its accounting system, what are some of the factors that you should consider when deciding whether to move to a reliance strategy? - Some factors that should be considered when deciding whether to move to a reliance strategy is if all evidence is in electronic format and if the system is effective at preventing or detecting and correcting any misstatements. They should also consider if the test is supported by reliable and relevant data and if the internal controls over data are strong enough to rely on them and therefore, do less substantive testing. 2. Under what conditions should the audit firm consider engaging an IT specialist to assist in the evaluation? If the firm hires an IT specialist, what information should the auditors ask the specialist to provide? - An audit firm should consider engaging an IT specialist to assist in the evaluation when the IT system is very complex and advanced and therefore, the auditors do not have a complete and full expertise and knowledge about it. They should also do it if there is any significant changes in the processes that the auditors may not know or fully understand. They should also ask if the evidence available in electronic format is not sufficient enough to meet audit requirements. The auditors should ask the IT specialist of how the system works and the processes. They should also ask about the design and operating effectiveness of the controls to help them make a sufficient assessment on the internal controls. ### How are the five components of the entity’s internal control affected by the entity’s change to an IT-based accounting system? - Control of the environment is the tone of the organization or the culture. If they change it to an IT based accounting system then that may change. Another component is the risk assessment. If they change to an IT based system there will be more risks related to technology, systems, security and reliability of these systems. The next is control activities which is actionable controls at the transaction level. These may change to automated controls instead of manual controls and this may be riskier if the system is not reliable. Information and communication may improve but auditors should still assess the quality and reliability of the information that is coming out of the system. The last is monitoring activities, which is monitoring their own internal control system and verifying that everything is correct. They may have to do less of this since it is through a system and it can be programmed to do itself, but auditors should still check that the system is reliable and the information going into the system is accurate. ### What are the five procedures used for tests of controls? Explain them and comment on the reliability of the evidence obtained from each. 1. Inquiry - asking how the control is completed and whether it has been carried out properly - Not very reliable and must be verified with other evidence 2. Observation - observing how the actual control is being performed - Not as reliable since employees can perform it more diligently if they know they are being watched so must have other evidence 3. Inspection of physical evidence - testing physical evidence to verify that a control is being performed properly - Very reliable 4. Reperformance - Reperformance control to tests its effectiveness - Very reliable 5. Test of software controls - use software based techniques to test IT controls - Only reliable if have evidence to show that the IT general controls and IT application controls are strong and effective ### Identify the factors that influence sample size in a test of controls. Provide an example related to each factor in terms of how it would potentially increase the level of control testing. ### Explain the relationship between the results of tests of controls and substantive testing. - If the results of a test of controls indicate that the internal controls are strong and effective at preventing or detecting and correcting misstatements, then auditors can reduce the amount of substantive testing needed. If not, they would need to perform more extensive substantive procedures if there is an increased risk of material misstatements. ### What are substantive procedures designed to obtain evidence about? What are the main types of substantive procedures? - Direct evidence about the completeness, accuracy, validity of data, and reasonableness of estimates in financial statements. - Test of details - Inspection, observation, inquiry, confirmation, recalculation, Reperformance, scanning, and ADA. - Substantive analytical procedures ### Using the allowance for doubtful accounts as an example, briefly explain the risk assessment procedures that would be performed on the accounting estimate - Understand the entity and industry. - Understand managements process in estimating allowance for doubtful accounts. - Understand relevant policies need to follow related to it - Understand internal controls related to making the estimate such as observing, inquiring, inspecting, etc. of how they make the estimate and what they do, etc. ### Assume that an auditor is auditing inventory for a computer manufacturer with strong internal controls. Identify one assertion where the auditor is likely to use audit sampling. Explain your reasoning. Then identify another assertion where the auditor is likely to use audit data analytics. Explain your reasoning. - Completeness - ensure all inventory items that should be recorded are actually included on the financial statements - Use audit sampling to examine a sample of inventory transactions to verify that they were on there - Valuation - determine if inventory is valued appropriately at lower cost or net realizable value - Analyze sets of data of any outliers or trends, etc. ### Using your example of audit sampling in the answer to R10.1, what items make up the population? What items are subject to being sampled? When the sample is complete, is the auditor drawing a conclusion about the sample or the population? Explain your reasoning. - Population would be all inventory items recorded - Items subject to being sampled could be inventory records that are of higher risk or more significant in value - When the sample is complete, the auditor is drawing a conclusion from the population because the auditor is determining if the completeness assertion is valid for the entire population based on the sample. ### Explain the difference between the two types of sampling risk for substantive procedures: the risk of incorrect acceptance and the risk of incorrect rejection. What are the errors’ different implications for the audit? Which is the more serious risk? Explain. - Risk of incorrect acceptance is the risk that the auditor concludes that a material misstatement does not exist when in fact it does. The increased audit risk is that the audit will be ineffective. - Risk of incorrect rejection is the risk that a material misstatement exists when it does not. An increase in audit effort when it is not required means that the audit will be inefficient. - Risk of incorrect acceptance is the more serious risk because it results in an ineffective audit, and therefore, an incorrect auditor's report. ### What are the advantages of nonstatistical sampling over statistical sampling? - Requires less staff and training - Considered easier to use - Allows auditor to select a sample he or she believes is appropriate ### Explain the advantages of statistical sampling over nonstatistical sampling. - Can be measured and quantified - More objective way - Uses appropriate statistical techniques