9.2 Flashcards Preview

AUD Study Unit 9 > 9.2 > Flashcards

Flashcards in 9.2 Deck (20)
Loading flashcards...
1
Q

In obtaining an understanding of an issuer’s internal control, an auditor does all the following except

A

Send confirmations to customers.

Confirmations to customers are substantive procedures used to test the existence assertion. They are not useful in obtaining an understanding of controls.

2
Q

An auditor is conducting an integrated audit of internal control with the audit of a nonissuer’s financial statements. In applying the top-down approach, the auditor first

A

Focuses on entity-level controls and then significant classes of transactions, account balances, and disclosures.

The top-down approach to evaluating internal control begins at the financial statement level by understanding overall risks, focusing on entity-level controls, and then working down to significant classes of transactions, account balances, and disclosures. Examples of entity-level controls are controls (1) related to the control environment, (2) over management override, (3) to monitor results of operations, (4) over the period-end financial reporting process, and (5) to monitor other controls.

3
Q

The activities of the user entity and the service organization have a high degree of interaction. The user auditor

A

Need not test the service organization’s internal control if the user entity has effective controls related to service organization processing.

The significance of controls at the service organization depends on the degree of interaction between its activities and those of the user entity. The degree of interaction is the extent to which the user entity can, and chooses to, implement effective controls over service organization processing. In these circumstances, the user auditor may be able to obtain an understanding from the user entity of the service organization’s services that suffices to assess the RMMs. Accordingly, the user auditor need not obtain a type 1 or type 2 report.

4
Q

Which of the following statements is true about an auditor’s communication with those charged with governance?

A

This communication should include management changes in the application of significant accounting policies.

The auditor should communicate to those charged with governance, among other things, management’s selection of and changes in significant accounting policies or their application. The auditor also should determine that those charged with governance are informed about the methods used to account for significant unusual transactions and the effects of significant accounting policies in controversial or emerging areas (AU-C 260).

5
Q

During the planning phase of an audit, an auditor is identifying matters for communication to those charged with governance. The auditor most likely would ask management whether

A

There were changes in the application of significant accounting policies.

The auditor should determine that those charged with governance are informed about the initial selection of and changes in significant accounting policies or their application. Moreover, the auditor should discuss the quality of the auditee’s accounting principles as applied in its financial reports (AU-C 260).

6
Q

In the audit, the auditor reports on the effectiveness of an entity’s internal control over financial reporting. Which of the following is not a condition of that engagement?

A

Management provides assurance that limitations inherent to internal control have been eliminated.

By their nature, limitations inherent to internal control cannot be eliminated. Thus, management is not expected to provide such assurance.

7
Q

A secondary result of the auditor’s understanding of internal control for a nonissuer is that the understanding may

A

Bring to the auditor’s attention possible control conditions required to be communicated to the client.

The auditor is not required to search for significant deficiencies or material weaknesses in internal control. However, the auditor may identify these conditions during the audit. Significant deficiencies and material weaknesses should be communicated in writing to management and to those charged with governance (AU-C 265).

8
Q

Management of an issuer subject to SEC requirements requests the auditor to report on whether a previously reported material weakness in internal control continues to exist. The request comes 3 months after the annual audited financial statements and report on internal control were released.

A

The auditor may accept the engagement if management provides a statement that the identified material weakness no longer exists.

PCAOB AS 6115 applies to engagements solely to report on whether a previously reported material weakness continues to exist. Such an engagement is voluntary and may be performed as of any reasonable date selected by management. To perform such an engagement, the auditor should receive a written report from management that the identified material weakness no longer exists as of the date specified. The auditor then applies appropriate procedures to assess whether remediation has been accomplished.

9
Q

Which of the following matters is an auditor required to communicate to those charged with governance?

A

Adjustments that were suggested by the auditor and recorded by management that have a significant effect on the entity’s financial reporting process.

Certain matters should be communicated to those charged with governance (e.g., the audit committee) if all such individuals are not involved in management. These matters include material, corrected misstatements that were brought to the attention of management as a result of audit procedures (AU-C 260).

10
Q

The Sarbanes-Oxley Act of 2002 (SOX) requires management of issuers to do all of the following except

A

Provide a statement that the board approves changes in internal control procedures.

SOX imposes many requirements on management, boards of directors, and auditors. Section 404 applies to internal controls and reports on them. Section 404 requires management to establish and document internal control procedures and to include in their annual reports a report on the entity’s internal control over financial reporting. The report is to include (1) a statement of management’s responsibility for internal control, (2) management’s assessment of the effectiveness of internal control as of the end of the most recent fiscal year, and (3) identification of the framework used to evaluate the effectiveness of internal control (such as the COSO report). Because of this requirement, PCAOB AS 2201 states that audit opinions are to be expressed on the effectiveness of those controls and on the financial statements. Section 301 addresses activities of the board but does not require the board to approve changes in controls.

11
Q

Which of the following circumstances would be inappropriate for the auditor to communicate to those charged with governance?

A

No significant deficiencies in internal control exist that would affect the financial statements.

An auditor may issue a written communication stating that no material weaknesses were identified if the auditor complies with the applicable requirements for such communications. But a written communication stating that no significant deficiencies were identified is prohibited. It might be misunderstood or misused (AU-C 265).

12
Q

An auditor is auditing a mutual fund company that uses a transfer agent to handle accounting for shareholders. Which of the following actions by the auditor would be most efficient for obtaining information about the transfer agent’s internal controls?

A

Review reports on the suitability of design and operating effectiveness of controls produced by the agent’s own auditor.

The mutual fund auditor can use the service auditor’s report to gain an understanding of the controls and to assess the risk of material misstatement at the transfer agent.

13
Q

Which of the following is a true statement concerning an engagement to examine the effectiveness of an entity’s internal control over financial reporting?

A

The management evaluates the effectiveness of internal control.

As part of engagement performance for both AU-C 940 and AS 2201, the auditor should obtain from management a written assessment about internal control effectiveness.

14
Q

In communicating with those charged with governance, the auditor must decide whether to communicate with the audit committee or the client’s entire board of directors. Which of the following considerations will be least relevant to this decision?

A

Management’s preference.

Before communicating with a subgroup (e.g., an audit committee) of those charged with governance, the auditor may consider such matters as (1) the responsibilities of the subgroup and the governing body, (2) the nature of the matter, (3) legal or regulatory requirements, (4) whether the subgroup can (a) act on the information and (b) provide further information and explanations the auditor may need, and (5) whether the auditor is aware of potential conflicts of interest between the subgroup and other members of the governing body. However, management’s preference is irrelevant. The auditor’s professional judgment, authoritative guidance, and legal requirements determine the matters communicated.

15
Q

In an audit engagement, should an auditor communicate the following matters to those charged with governance?

Auditor’s judgement’s about the quality of the client’s accounting principles:
Issues discussed with management prior to the Auditor’s retention:

A

Yes
Yes

The matters to be discussed with those charged with governance include the quality of the accounting principles used by management. Management is normally a participant in the discussion. Matters covered may include the auditor’s views on the entity’s significant accounting practices, e.g., policies, estimates, and disclosures. Furthermore, in any audit engagement, the auditor and those charged with governance should discuss any major issues discussed with management in connection with the initial or recurring retention of the auditors, for example, issues concerning the application of accounting principles and auditing standards.

16
Q

A CPA had previously communicated a significant control deficiency in connection with an audit of prior financial statements of a nonissuer. As of the current audit date, the deficiency has not been corrected. What communication should be made by the CPA?

A

The condition should be reported.

AU-C 265 requires communication about significant deficiencies and material weaknesses and makes no exception solely for previous reporting of a condition. This can be accomplished by a written communication referring to the previously written communication and the date of that communication.

17
Q

Which of the following statements correctly describes the “top-down approach” used during an audit of internal control over financial reporting?

A

Begin by understanding the overall risks to internal control over financial reporting at the financial statement level.

The auditor begins an integrated audit at the financial statement level by understanding the overall risks to internal control over financial reporting and focusing on entity-level controls. The auditor then performs procedures on significant classes of transactions, account balances, disclosures, and their relevant assertions.

18
Q

An auditor is required to establish an understanding with a client regarding the services to be performed for each engagement. For an auditor of a nonissuer, this understanding generally includes

A

The auditor’s responsibility for ensuring that management and those charged with governance are aware of any significant deficiencies or material weaknesses in control that come to the auditor’s attention.

An auditor should accept an engagement only when the basis for audit performance is agreed through (1) establishing whether the preconditions for an audit exist and (2) confirming that the auditor and management (and, possibly, those charged with governance) have a common understanding of the terms of engagement. The agreement typically is documented in an engagement letter (AU-C 210). An engagement letter for a nonissuer should indicate that a financial statement audit is not designed to provide assurance on internal control. However, the auditor is responsible for ensuring that management and those charged with governance are aware of any significant deficiencies or material weaknesses in control that come to his or her attention.

19
Q

Firms subject to the reporting requirements of the Securities Exchange Act of 1934 are required by the Foreign Corrupt Practices Act of 1977 to maintain satisfactory internal control. Moreover, the Sarbanes-Oxley Act of 2002 requires that annual reports include (1) a statement of management’s responsibility for establishing and maintaining adequate internal control and procedures for financial reporting, and (2) management’s assessment of their effectiveness. The role of the registered auditor relative to the assessment made by management is to

A

Determine whether management’s report is complete and properly presented.

According to PCAOB AS 2201, the auditor must express (or disclaim) an opinion on the effectiveness of internal control. Moreover, if the auditor determines that elements of management’s annual report on internal control over financial reporting are incomplete or improperly presented, the auditor should modify his or her report to describe the reasons for this determination.

20
Q

A service auditor’s report on internal control may be issued on management’s description of a service organization system and the suitability of the design of controls or management’s description of a service organization system and the suitability and operating effectiveness of controls. Which of the following is true about a type 1 report?

A

It should state that the auditor did not test the effectiveness of the controls.

A service auditor’s type 1 report should contain a statement that the auditor did not test the effectiveness of the controls.
The AICPA has issued additional guidance on service auditor reports. The term System and Organization Controls (SOC) report is used in this guidance. The reports obtained by the user auditor in an audit are called SOC 1 reports (type 1 or type 2). Service auditors also may prepare SOC 2 and SOC 3 reports to provide assurance on more than internal controls over financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). SOC 2 reports are to be used by those identified in the report, and SOC 3 reports may be used by any user.