Review Questions Solutions
Chapter 2, Overview of an Integrated Audit
Page 37
A1 What is the term for an engagement to audit both the financial statements and ICFR?
Integrated
A2 What entity sets standards for audits of U.S. public companies? Nonpublic companies?
PCAOB
AICPA
A3 What is the difference between audits performed under PCAOB and AICPA standards?
Audits performed for public companies (SEC registrants) are performed under SEC registrants and include an audit of ICFR and an audit of financial statements that must be performed as a single engagement. Audits of nonpublic companies under AICPA standards address only the financial statements.
Page 37
B1 What is the set of standards for internal control most frequently used in the U.S.?
COSO Internal Control Framework
B2 What is the set of standards against which U.S. financial statements are usually analyzed in an audit?
Generally Accepted Accounting Principles (GAAP)
B3 What are the client prerequisites in order for an audit to be performed?
Sufficient records
Auditor confidence in management integrity
Page 41
C1 What are preliminary engagement procedures?
Client acceptance or continuance
Establishing an understanding about the terms of the engagement with the client
Confirming the auditors independence, and in the first year of an audit of a public company communicating that independence in writing to the audit committee
C2 What is the client acceptance and continuance process?
An active decision process regarding whether to perform the audit for the company. It involves determining whether the auditor wants to be associated with the client, is capable of providing the services required and the proposal process.
C3 What is ICFR?
Internal control over financial reporting (ICFR)is a process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP.
C4 In general, how does the auditor obtain information about the client company for planning and risk assessment?
The auditor obtains this information through
- Information gathered in the client acceptance or continuance process
- Understanding the management information system
- Understanding the accounting information system and ICFR
- Information obtained while reviewing interim reports filed with the SEC in the case of public companies
- Documentation created by management for its assessment of the effectiveness of ICFR
C5 What are audit planning and risk assessment considered together, early in the audit?
The initial audit planning process is grouped with risk assessment because as the audit team obtains information about the nature of a client’s business, important transactions and accounting information system, including internal control over financial reporting, it can make preliminary decisions about the audit procedures necessary. The procedures are planned to target the “risks” of the client, which can be important accounts, characteristics and weaknesses. Once the auditor understands and assesses the important characteristics or risks of the company, the preliminary audit plan can be designed with audit procedures to collect evidence on those important areas.
C6 What does it mean when we say that an auditor assesses the design effectiveness of the system?
The auditor considers the controls built into the system and decides whether those controls are appropriate for the risks that are important to the company’s business and its ability to prepare fair financial statements for external use. The assessment of design effectiveness addresses only the controls that are described to the auditor as being in place, and extends to investigating whether it seems that the controls actually exist. Assessing design effectiveness does not gather evidence on whether the controls actually operate effectively.
C7 Why does audit planning continue throughout the audit? Give an example of why the auditor might revise planning after testing the operating effectiveness of a company’s controls?
Audit planning is a continuous activity that is performed over the duration of the audit because information collected during the audit can cause the audit team to revisit and revise the audit plan.
The auditor might revise planning after testing the operating effectiveness of a company’s controls if it is determined that the controls were not operating effectively. This would require the auditor to modify the planned procedures, first to be sure that the audit evidence collected is correct, and if so, then to obtain evidence needed to express an opinion on the fairness of the financial statements. More evidence would be needed for the financial statement audit than originally expected if, when planning the financial statement audit, the auditor assumed the ICFR was effective.
C8 What audit results cause a preliminary conclusion that internal control over financial reporting is effective?
Results indicating that controls are properly designed, implemented, and are operating as described.
C9 What are substantive audit procedures?
Procedures that collect evidence on the company’s financial accounts and disclosures.
C10 What are the final steps of an integrated audit?
Numerous steps include: reviews, obtaining specific communications from the company’s management and lawyers, making a final conclusion on the appropriate audit opinions, making specific communications from the auditor to management and the audit committee, issuing the audit opinions.
Page 48
D1 What is the relationship between management’s financial statement assertions and audit evidence?
In preparingthe company’s financial statements management makes representations about the information that are called assertions. The assertions indicate what management is communicating about information included in the financial statements. In its report filed with the SEC, management also asserts whether the system of internal control over financial reporting operates effectively at the report date.In order to express an opinion on the fairness of the financial statements and effectiveness of ICFR, the auditor is required to collect evidence supporting the audit conclusion. This is accomplished by examining audit evidence about the correspondence between the assertions and the actual events, activities and conditions of the company.
D2 What is the relationship between due professional and negligence?
If an auditor exercises due professional care he or she is not behaving in a negligent manner.
D3 Do auditors need to find immaterial financial statement misstatements?
No, only those that would make the financial statements materially misleading.
D4 What is sufficient competent (appropriate) evidence? What is the trade-off between sufficient and appropriate?
The auditor must accumulate enough evidence – in other words, sufficient evidence. Evidence may vary in its quality (reliability) and relation to the assertion the auditor is examining (relevance) – thus may vary in its level of appropriateness. When evidence has a higher degree of appropriateness, it may take less of it to be sufficient.
D5 What is the difference between convincing and persuasive evidence?
Convincing evidence would be the ideal type of audit evidence supporting an auditor’s conclusion beyond all doubt. Because of the possibility of fraud (and other limitations) audit evidence is never convincing. Persuasive evidence, while not convincing, provide strong support for the audit conclusion. Audit evidence is usually only persuasive.
D6 How does the source of evidence affect its reliability?
Evidence obtained from external sources or that comes directly to the auditor (direct personal knowledge) has higher reliability than evidence generated inside the company. This is logical since, unless the outsider is in collusion with the audit client, information coming from the outsider has less of a chance of being manipulated or changed. Evidence coming directly from the outsider to the auditor has the highest reliability (like a confirmation); evidence coming from an outsider through the client to the auditor (like an invoice or statement) has the next level of reliability. Evidence generated within a client generally is viewed as having the lowest level of reliability. However, the reliability of internally generated evidence is enhanced when it is produced by a system with good internal controls.
(As you will learn later, auditors have much more concern over internal transactions developed outside the controls – like adjusting entries that management prepares as the financial statements are drafted – than over routine transactions like typical sales that occur under a tested and strong system of ICFR.)
D7 When is evidence relevant?
Evidence is relevant when it relates to the audit conclusion being addressed.
D8 What is audit risk?
Audit risk is the likelihood that the auditor will issue an opinion stating that the financial statements are fair or the ICFR is effective when that is not correct.
Page 51
E1 What might influence an audit firm’s decision about whether it wants a company as a client?
The company’s reputation
Management integrity
The company’s industry or nature of the company’s business
Financial condition of the company
Size of the company
Audit fee and ability of the audit firm to make a profit on the engagement
E2 What considerations help the audit firm decide whether it can effectively perform an audit?
Does the firm have expertise in the client’s industry?
Does the firm have the resources needed to successfully complete the engagement within the timeframe required? Enough people available generally? Enough people at the right hierarchical levels? Enough people with the needed industry knowledge? Enough people with any special knowledge required (experience with public companies, IT, valuation, etc.).
E3 What is engagement risk? How does the auditor reduce this risk during the client acceptance process?
Engagement risk is the overall risk to the audit firm of being associated with a client. It includes risks like being involved in litigation, not making a profit on the engagement, and experiencing damage to the firm’s reputation. Engagement risk is reduced by:
- Verifying the firm’s understanding of the client’s situation and needs to be sure the risk of performing the engagement is within the range it is willing to accept.
- Conducting comprehensive discussions with the company about its organization and functioning.
- Accessing any publicly available information about the company as well as talking to the company’s prior auditors and when possible resources like the company’s lawyers and bankers.
- Conducting media searches and other investigations.
E4 What are other preliminary engagement procedures beyond client acceptance and continuance?
Prepare an engagement letter and have it signed by the client.
Confirm that the firm is independent of the client. In the first year audit of a public company, the audit firm must confirm its independence and communicate this in writing to the audit committee prior to accepting the engagement. In practice, this is actually more a re-confirming rather than confirming because the audit firm will have assured that it is independent (or will quickly become independent) of the client company before going through the process of proposing on the engagement.
Page 53
F1 How do planning and risk assessment procedures change in subsequent years after the auditor has already audited the client the first time?
Audit planning and risk assessment is likely easier in subsequent year audits because the auditor is updating previous knowledge about the client company, and considering any changes that the company has experienced.
F2 What sources of information about the client company are available early in planning and risk assessment?
Information from prior audit(s)
Information obtained during the client acceptance and continuance process
The work performed on the quarterly information filed with the SEC.
Any documentation the client has prepared of its ICFR.
F3 What procedure does the auditor use to assess the risk of fraud early in the audit?
Consider information obtained during client acceptance and continuance
Inquiry of management on risk of fraud and the company’s fraud controls
Brainstorming session of the audit team
Professional judgment based on what the auditor knows about the client
F4 What are entity-level controls? Why are they important?
Controls that exist throughout the company, for example, policies and procedures and IT general controls (ITGC). Entity level controls are important because they are the one of the first considerations in the “top down” approach to a audit.
(As you will learn later, entity level controls can provide various levels of controls to a company. They may be very general such as the existence, use and enforcement of a company Code of Ethics. They may be more specific -- required in order for other controls to be effective – such as an overall requirement for security over computer access that makes other computer controls more reliable. Or, entity level controls can actually provide control that is sufficiently specific for the auditor to rely on it when considering the fairness of the financial statements. An example of this is when the company uses the same IT system throughout its organizational structure, and the system has very specific and effective controls that prevent entry of non-routine transactions from any locations or by any person lacking a high level of clearance.)
F5 What is remediation of internal control problems?
This term refers to the process of management correcting ICFR problems.
F6 What is included in audit documentation? What is an audit plan document?
Audit documentation includes a record of the work performed by the auditor and evidence obtained to enable the auditor to express an opinion on the various management assertions of the financial statements and ICFR. The auditor begins building documentation during client acceptance or continuance, an the process of documenting continues until the audit is completed. The term audit plan typically is used to refer to the document that specifies what procedures are to be followed, linking them to the accounts, assertions and risks.
Page 57
G1 What is a test of controls?
A test of controls is a test to determine whether a control is functioning as designed. In other words, it targets operating effectiveness of an ICFR.
G2 How does an auditor perform an analytical procedure? What might be an example?
Analytical procedures primarily address amounts, trends, etc. that have an expected systematic relationship. These procedures can address amounts within a single year’s financial statements, trends across years or the relationship of the company’s situation to events external to the company. An easy to understand example of an analytical procedure is comparing the principle amount of debt to the interest expense recorded for that debt. A clear cut relationship is expected between the two amounts.
Before relying on analytical procedures the audit must determine that the underlying information is complete and has been prepared under a system of effective controls.
G3 How are tests of details of balances different from tests of controls and dual purpose tests? How are tests of details of balances related to evidence?
Tests of controls examine whether an ICFR is operating as expected. Tests of details of balances examine audit evidence to determine the level of correspondence between what a company shows in its accounting records and financial statements and the underlying evidence. Dual purpose tests is the term used for an audit procedure that uses the same item of evidence to accomplish the purpose of both a test of controls and a test of details of a balance. Tests of details of balances usually include some kind of documentary evidence. Tests of controls may include documentary evidence, but some controls tests, such as observing an employee performing an activity, do not. If a test of controls does not utilize documentary evidence it probably cannot be combined with a test of details of balances to form a dual purposes test.
G4 What is detection risk, and how does the definition relate to inherent risk and control risk?
Detection risk is the risk that an audit procedure will fail to detect a financial statement misstatement or an internal control weakness.
Page 60
H1 What entity creates the auditing standards that are followed in the audit of a nonpublic company?
The AICPA
H2 What is the fundamental difference in the audit purpose and reports for a public and nonpublic company?
A public company is required to have an integrated audit of the financial statements and management’s report on ICFR that are included in the 10K and filed with the SEC. A nonpublic company is not required by law or regulation to have an audit. If it chooses to have an audit (or is required to by, for example, lenders or minority shareholders) the audit provides an opinion only on the financial statements.
(As is presented in later chapters, a nonpublic company may hire an auditor to perform an examination of ICFR, but this type of engagement is covered under the AICPA attestation standards – not the AICPA audit standards.)
H3 Why might the auditor of a nonpublic company choose to omit testing of internal controls?
The auditor of a nonpublic company must understand the company’s information system and must identify and address the company’s significant risks. However, the auditor is not required by the AICPA auditing standards to test the operating effectiveness of an audit client’s internal controls. An auditor may choose to test the operating effectiveness of a company’s ICFR. This is more likely to happen if it is expected that the results of those tests will permit the auditor to rely to a greater extent on the client’s system to produce reliable financial information, and as a result reduce the substantive testing that must be performed in order to accumulate persuasive audit evidence.
Page 65
I1 What are the generally accepted auditing standards, and what do they mean?
The 10 GAAS are the underpinning for all the more detailed auditing standards. The 10 GAAS (general, field work and report) all apply to financial statement audits. Only the general standards apply to an audit of ICFR.
I2 What is the source of the field work and reporting standards for an audit of ICFR?
PCAOB AS 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements
1