7-1) Briefly summarize managements and the auditors responsibilities under section 404 of the Sarbanes-Oxley Act of 2002
o Accept responsibility for the effectiveness of the entity's ICFR (internal control over financial reporting)
o Evaluate the effectiveness of the entity's ICFR using suitable control criteria
o Support the evaluation with sufficient evidence including documentation
o Present a written assessment regarding the effectiveness of the entity's ICFR as of the end of the entity's most recent fiscal year
• Section 404 requires the auditor to audit management's assertion about the effectiveness of ICFR
7-2) Discuss how the terms likelihood and magnitude play a role in evaluating the significance of a control deficiency
Control deficiency- exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis
• Likelihood of an event is a "reasonable possibility" if it is either reasonably possible or probable
• Likelihood is broke down into two categories "remote" or "reasonably possible or probable"
• Magnitude is broke down into three categories "not material or significant", "not material but significant" or "material"
7-3) The first element in management's process for assessing the effectiveness of internal control is determining which controls should be tested. Identify the controls that would typically be tested by management
o Controls over initiating, authorizing, recording, processing. And reporting significant accounts and disclosures and related assertions embodied in the financial statements
o Controls over the selection and application of accounting policies that are in conformity with GAAP
o Antifraud programs and controls
o Controls, including IT general controls, on which other controls are dependent
o Controls over significant non routine and nonsystematic transactions, such as accounts involving judgments and estimates
o Entity-level controls
7-4) Describe how management and the auditor decide on which locations or business units to test.
• The approach followed by management in choosing which locations to include in its assessment of internal control is a function of the presence of entity-level controls and the financial reporting risk at the individual locations or business units. When controls that are necessary to address financial reporting risks operate at more than one location or business unit, management needs to evaluate evidence of the operation of the controls at the individual locations or business units.
• When management determines that the financial reporting risks for the controls at an individual location are high, management will normally need to directly test the operation of the controls at that location.
7-5) Management must document its assessment of internal control. What would such documentations include?
• Documentation would include the design of the controls management has placed in operation to adequately address identified financial reporting risks.
• Also include information such as policy manuals, process models, flowcharts, job descriptions, documents, and forms
7-6) List the steps in the auditors process for an audit of ICFR
• Plan the audit of ICFR
• Identify controls to test using a top-down, risk- based approach
• Test the design and operating effectiveness of selected controls
• Evaluate identified control deficiencies
• Form an opinion on the effectiveness of ICFR
7-7) How does the auditor evaluate the competence and objectivity of others who perform work for management?
o Educational level and professional experience
o Professional certification and continuing education
o Audit policies, procedures, and checklists
o Practices regarding their assignments
o The supervision and review of their audit activities
o The quality of their working paper documentation, reports, and recommendations
o Evaluation of their performance
o The organizational status of the internal auditors responsible for the internal audit function
o Policies to maintain internal auditors objectivity about the areas audited
The risk associated with the control being tested also plays a role in using the work of others. As the risk associated with the control increases, the auditor should perform more of the work.
7-8) Describe the steps in obtaining an understanding of ICFR using a top-down, risk-based approach.
The auditor first identifies the entity-level controls. Next the auditor identifies the significant accounts and disclosures, and understands where the likely sources of misstatements occur. Based on this information, the auditor selects which controls to test.
7-9) The period-end financial reporting process controls are always important. What are those controls and what should the auditor's evaluation of those controls include?
• Procedures used to enter transaction totals into the general ledger
• Select and apply accounting policies
• Initiate, authorize, record, and process period end journal entries in the general ledger
• Record recurring and nonrecurring adjustments to the annual and quarterly financial statements
• Prepare annual and quarterly financial statements and related disclosures
The evaluation should include the inputs, procedures preformed, and outputs of the processes the company uses to produce its annual and quarterly financial statements.
7-10) A walkthrough involves tracing a transaction through the information system. What types of evidence does a walkthrough provide to the auditor?
It helps the auditor in confirming his or her understanding of control design and transaction process flow, as well as in determining whether all points at which misstatements could occur have been identified, evaluating the effectiveness of the design of controls, and confirming whether controls have been placed in operation. It identifies abuse of controls or indicators of fraud.
7-11) AS5 indicates that certain circumstances are indicators of a material weakness. What are these circumstances, and why do you think the PCAOB assessed them as being of such importance?
• Identification of fraud, whether or not material, committed by senior management
• Restatement of previously issued financial statements to reflect the correction of a material misstatement
• Identification by the auditor of a material misstatement of financial statements in the current period circumstances that indicate that the misstatement would not have been detected by the company's ICFR
• Ineffective oversight of the company's external financial reporting and ICFR by the company's audit committee
These would all affect preparation of financial to be in accordance with US GAAP
7-12) Describe what is meant when management remediates a material weakness. If a material weakness is remediated and sufficiently tested before the "as of" date, what can management assert about ICFR?
Remediation is when an entity determines that it has a material weakness, it should take steps to correct it. If there is sufficient time to remediate the material weakness and the testing shows that the new control is operating effectively, management and the auditor can issue a report that ICFR is operating effectively.
7-13) What are the auditor's documentation requirements for an audit of ICFR?
• The documentation must include the auditors understanding and evaluation of the design of each of the components of the entity's ICFR
• Document the process used to determine the points at which misstatements could occur within significant accounts and disclosures
• The auditor must document the extent to which he or she relied upon work performed by others.
• The auditor must describe the evaluation of any deficiencies discovered, as well as any other findings, that could result in a modification to the auditor's report
7-14) What are the types of reports that an auditor can issue for an audit of ICFR? Briefly identify the circumstances justifying each type of report.
Unqualified Report - provides reasonable assurance that the clients controls are designed and operating effectively in all material respects as of the balance sheet date
Adverse Report for a Material Weakness - The presence of a material weakness at the end of the period necessitates an adverse assessment by management and an adverse opinion by the auditor. An adverse report includes a definition of a material weakness and a description of the particular material weakness identified in the clients system of internal control, along with the auditors opinion that the client has not maintained effective ICFR as of the report date.
Disclaimer for Scope Limitation - The auditor can express an unqualified opinion on the effectiveness of ICFR only if the auditor has been able to apply all the procedures necessary in the circumstances. If the scope of the auditors work is limited because of circumstances beyond the control of management or the auditor, the auditor should disclaim an opinion or withdraw from the engagement.
7-15) Under what circumstances would an auditor give an adverse opinion on the effectiveness of a client's ICFR?
The presence of a material weakness at the end of the period necessitates an adverse assessment by management and an adverse opinion by the auditor.
7-16) Under what circumstances would an auditor disclaim an opinion on the effectiveness of a client's ICFR?
The auditor can express an unqualified opinion on the effectiveness of ICFR only if the auditor has been able to apply all the procedures necessary in the circumstances. If the scope of the auditors work is limited because of circumstances beyond the control of management or the auditor, the auditor should disclaim an opinion or withdraw from the engagement.
7-17) What should the auditor do when a significant period of time has elapsed between the service organization auditor's report and the date of management's assessment?
Additional procedures should be performed.
• Investigate whether management has taken actions to monitor or evaluate the quality of the service provider and evaluate results of such actions.
• Contact the service organization to obtain specific information, or request that a service auditor be engaged to perform procedures that will supply the necessary information
• The auditor might even visit the service organization and perform such procedures firsthand
Based on the evidence obtained, management and the auditor should determine whether they have obtained sufficient evidence to obtain the reasonable assurance necessary for their assessment and opinion.
7-18) Distinguish between generalized and custom audit software. List the functions that can be performed by generalized audit software.
Generalized audit software includes programs that allow the auditor to perform tests on computer files and databases. Functions of Generalized:
o File or database access
o Selection operators
o Arithmetic functions
o Statistical analyses
o Report generation
Custom audit software is generally written by auditors for specific audit tasks
19. A control deviation caused by an employee performing a control procedure that he or she is not authorized to perform is always considered a
deficiency in operation
20. Which of the following is not a factor that might affect the likelihood that a control deficiency could result in a misstatement in an account balance?
the financial statement amounts exposed to the deficiency
21. Entity-level controls can have a pervasive effect on the entity's ability to meet the control criteria. Which one of the following is not an entity-level control?
controls to monitor the inventory taking process.
22. Which of the following controls would most likely be tested during an interim period?
controls that operate on a continuous basis
23. If the financial reporting risks for a location are low and the entity has good entity-level controls, management may rely on which of the following for their assessment.
documentation and test controls over specific risk
24. Auditing Standard 5 requires an auditor to perform a walkthrough as part of the internal control audit. A walkthrough requires an auditor to
trace a transaction from each major class of transactions from origination though the company's information system until it is reflected in the company's financial reports.
25. When auditors report on the effectiveness of internal control "as of" a specific date and obtain evidence about the operating effectiveness of controls at an interim date, which of the following items would be the least helpful in evaluating the additional evidence to gather for the remaining period?
the walkthrough of the control system conducted at interim.
26. AnnaLisa, an auditor for N.M. Neal & Associates, is prevented by the management of Lileah Company from auditing controls over inventory. Lileah is a public company. Management explains that controls over inventory were recently implemented by a highly regarded public accounting firm that the company hired as a consultant and insists that it is a waste of time for AnnaLisa to evaluate these controls. Inventory is a material account, but procedures performed as part of the financial statement audit indicate the account is fairly stated. AnnaLisa found no material weakness in any other area of the client's internal control relating to financial reporting. What kind or report should AnnaLisa issue on the effectiveness of Lileah's internal controls?
a disclaimer of opinion
27. In auditing a public company client, Natalie, and auditor for N. M. Neal & Associates, identifies four deficiencies in ICFR. Three of the deficiencies are unlikely to result in financial misstatements that are material. One of the deficiencies is reasonably likely to result in misstatements that are not material but significant. What type of audit report should Natalie issue?
an unqualified report
28. In auditing ICFR for a public company client, Emily finds that the company has a significant subsidiary located in a foreign country. Emily's accounting firm has no offices in that country, and the company has thus engaged another reputable firm to conduct the audit of internal control for the subsidiary. The other auditor's report indicates that there are no material weaknesses in the foreign subsidiary's ICFR. What should Emily do?
accept the other auditor's opinion after evaluating the auditor's work, and make reference to the other auditor's report in her audit opinion.
29. Which of the following statements concerning control deficiencies is true?
the auditor should communicate to management, in writing, all control deficiencies in internal control identified during the audit.
30. Significant deficiencies and material weaknesses must be communicated to an entity's audit committee because they represent
significant deficiencies in the design or operation of internal control
31. Which of the following most likely represents a weakness in internal control of an IT system?
the systems analyst reviews output and controls the distribution of the output from the IT department