A5 - Integrated Audits, Attestation

1 / 39
Conceptual difference between SSAEs and GAAS?
Click the card to flip 👆
Terms in this set (39)
Which of the following statements correctly states the difference between SOC 1® and SOC 2® reports regarding internal controls at a service organization?SOC 1® report is a report on the internal controls over financial reporting at a service organization and a SOC 2® report is a report on internal controls related to one or more of the Trust Services Criteria.What is a SOC 1 report?A report on Controls at a *service organization* relevant to the User Entities' internal control over financial reporting. This report is issued by a service auditor and intended to be used by a user entity and user auditor in evaluating the impact that certain relevant controls at the service organization have on the financial statements of the user entity. It is a restricted to the management, user, and user auditor.What is a SOC 2 report?A report on Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.What is a type 1 report?A report on the design and implementation of a service organization's controls. (It does not provide assurance on the operating effectiveness of the controls)What is a type 2 report?A report on the design, implementation, *and operating effectiveness* of a service organization's controls.What's the deal with compliance audits?The financial statements must be audited and may only issue a *negative assurance* on compliance (only with regard to financials statements, not any other specified requirements)What kind of entity's need a Single Audit?Any entities that expend total federal assistance equal to or in excess of $750,000 in a fiscal year.What are the two main objectives of a Single Audit?1. Audit of the entity's financial statements and reporting on separate schedule of expenditures of federal awards 2. Compliance audit of federal awards expended during the year as a basis for issuing additional reports on complianceHow is materiality decided under the Single Audit Act?Determined separately for each major federal financial assistance program.When should material weaknesses be reported to issuers?Before the audit is issuedWhen may negative assurance be expressed?When an accountant is requested to report on the results of a review of managements assertions.What types of procedures are allowed for a compliance engagement?Agreed-upon-procedures (no assurance) Examination (reasonable assurance)According to GAGAS, audit documentation should contain sufficient information that...supplementary oral explanations are not required.What results from an AUP engagement?No conclusion, but only report on procedures and findings.What if fraud is committed by a member of senior management, even if immaterial?This would be classified as a material weakness.If an auditor discovers information they should've known during the audit, what should they do first?Discuss with management. If they won't do anything, go to BofD. If they don't do anything, go to regulatory agencies.What characteristic is shared by all audits done for companies receiving federal financial assistance?Auditor is required to document an understanding of internal controls for reasonable assurance of compliance.Examinations would fall under which standards?Compliance attestation standardsWhat are pro forma financial statements?Financial statements that show the effect of a hypothetical event on /historical/ financial statements if it had occurred during that period.What is a financial projection?Prospective financial statements prepared based on a hypothetical assumption ([[restricted]])An accountant would normally have to obtain a letter of representation from management when an audit report is reissued for a prior year, but is this required for reissuing a compilation report from a prior year?No.What kind of assurance does a review engagement provide?Limited (negative) assurance.What would an auditor do in a compilation engagement?Read the statements to make sure they are appropriate in form and there are no obvious material errors.Where should supplementary information be reported?In a separate report, or an additional paragraph (issuer) or one titled "Supplementary Information" (nonissuer)What would most likely determine the appropriate form of audit report when the F/S are prepared in accordance with a reporting framework outside of the US?The expected distribution of the F/SWhat is the deal with "major programs"?They are determined by the auditor using a risk-based approach. They are subject to both general and specific compliance. Auditor is required to report on compliance and internal control over compliance related to /each/ major program.What entity-level controls are specifically identified in the professional standards as a control of importance that should be evaluated?Period-end financial reporting controls Control environmentReporting on internal controls according to GAGAS is different from GAAS in the way thatA report must describe scope of the auditors testing of compliance and internal controls.What if an issue with compliance is discovered after the time period being compliance-audited for an entity?The auditor should only issue an opinion for the period under audit, but may modify the standard report to include a separate paragraph disclosing.