Exam 3 Review Sheet

This review does not cover every thing. You need to study your text book, notes,
and other handouts.
You need to know:
1. What auditing is
Auditing
is the accumulation and evaluation of evidence about
information to determine and report on the degree of
correspondence between the information and established
criteria.
Auditing should be done by a competent, independent
person.
2. Reasons for audit planning

To enable the auditor to obtain sufficient competent

evidence for the circumstances, to minimize legal
liability and maintain a good reputation in the business
community.
To help keep audit costs reasonable, helps the firm
remain competitive and thereby retain or expand its
client base and to
Avoid misunderstandings with the client, to have good
client relations and for facilitating high-quality work at
reasonable cost.
3. Definitions of inherent risk and acceptable audit risk
Acceptable audit risk and Inherent risk have a significant
effect on the conduct and cost of audits.
• Acceptable audit risk is a measure of how willing
the auditor is to accept that the financial statements may be
materially misstated after the audit is completed and an
unqualified opinion has been issued.

10-1
• Inherent risk is a measure of the auditor's assessment
of the likelihood that there are material misstatements in
an account balance before considering the effectiveness
of internal control.
o If, for example, the auditor concludes that there
is a high likelihood of material misstatement in an account
such as accounts receivable, the auditor would conclude
that inherent risk for accounts receivable is high.

Assessments of acceptable audit risk and inherent risk are

an important part of audit planning, because they affect
the amount of evidence to be accumulated and staff to be
assigned to the engagement.
4. The major steps in audit planning
Initial audit planning involves four things, all of which
should be done early in the audit.
1. The auditor decides whether to accept a new client or
continue serving an existing one. This is typically
done by an experienced auditor who is in a position
to make important decisions.
2. The auditor identifies why the client wants or needs
an audit. This information is likely to affect the
remaining parts of the planning process.
3. The auditor obtains an understanding with the client
about the terms of the engagement to avoid
misunderstandings.
The staff for the engagement is selected, including any
required audit specialists.
5. The communication between successor and predecessor CPA and how is
responsible for initiating it (SAS No. 84)
For prospective clients that have previously been audited
by another CPA firm, the new (successor) auditor is

10-2
required by SAS 84 (AU 315) to communicate with the
predecessor auditor. The communication may inform
the successor auditor that the client lacks integrity or
that there have been disputes over accounting prin-
ciples, audit procedures, or fees.
6. The purpose of an engagement letter
A clear understanding of the terms of the engagement
should exist between the client and the CPA firm. SAS
108 (AU 310) requires that auditors must document
their understanding with the client in an engagement
letter, including the engagement's objectives, the
responsibilities of the auditor and management, and the
engagement's limitations.
The engagement letter should specify whether the
auditor will perform an audit, a review, or a
compilation, plus any other services such as tax returns
or management consulting.
It should also state any restrictions to be imposed on the
auditor's work, deadlines for completing the audit,
assistance to be provided by the client's personnel in
obtaining records and documents, and schedules to be
prepared for the auditor. It often includes an agreement
on fees. The engagement letter is also a means of
informing the client that the auditor cannot guarantee
that all acts of fraud will be discovered.
The engagement letter does not affect the CPA firm's
responsibility to external users of audited financial
statements, but it can affect legal responsibilities to the
client.

10-3
 The engagement letter will also include the agreement
for the audit of the effectiveness of internal control over
financial reporting.
An example of an engagement letter is given in Figure
8-2 (p. 212
7. ?who is responsible for establishing a private company’s internal control
Management has responsibility for establishing and
maintaining the entity's internal controls. Management is
also required by Section 404 to publicly report on the
operating effectiveness of those controls.
In contrast, the auditor's responsibilities include
understanding and testing internal control over financial
reporting. The auditor is also required by Section 404 to
issue an audit report on management's assessment of its
internal controls.
8. what are the key concepts that underlie management’s design and
implementation of internal control

Two key concepts underlie management's design and

implementation of internal control
• Reasonable Assurance: A company should develop
internal controls that provide reasonable, but not
absolute, assurance that the financial statements are
fairly stated. (Consider cost and benefit).
• Inherent Limitations: Internal controls can never be
regarded as completely effective, regardless of the
care followed in their design and implementation.
Even if systems personnel can design an ideal system,
its effectiveness will depend on the competency and
dependability of the people using it.

10-4
 9. The study and evaluation of internal control of public and private companies are
required by who or what

10. what are the primary objectives of effective internal control

INTERNAL CONTROL OBJECTIVES

• A system of internal control consists of policies and

procedures designed to provide management with
reasonable assurance that the company achieves its
objectives and goals.
• Management typically has three broad objectives in
designing an effective internal control system:

1. Reliability of financial reporting. The

management is responsible for the reliability of
financial statements and the objective of effective
internal control over financial reporting is to
fulfill these financial reporting responsibilities.

Efficiency and effectiveness of operations.

2.
Controls within an organization are meant to
encourage efficient and effective use of its
resources to optimize the company's goals.
Compliance with laws and regulations. Section 404
requires all public companies to issue a report about the
operating effectiveness of internal control over financial
reporting.
11. what is the framework used to evaluate the effectiveness of internal control

- In addition, management's internal control report must

identify the framework used to evaluate the effectiveness of
internal control. The internal control framework for most

10-5
U.S. companies is the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
Internal Control—Integrated Framework, issued in
1992.
• The SEC requires management to include its report on
internal control in its annual Form 10-K report filed
with the SEC.

COSO COMPONENTS OF INTERNAL CONTROL

COSO's Internal Control—Integrated Framework, the most

widely accepted internal control framework in the United
States, describes internal control as consisting of five
components that management designs and implements to
provide reasonable assurance that its control objectives will
be met. Each component contains many controls, but
auditors concentrate on those designed to prevent or detect
material misstatements in the financial statements. The
COSO internal control components include the following:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
The control environment serves as the umbrella for the
other four components
12. what is separation of duties and example on it

1. Adequate Separation of Duties

10-6
 • Separation of the Custody of Assets from
Accounting
• Separation of the Authorization of Transactions
from the Custody of Related Assets
• Separation of Operational Responsibility from
Record-Keeping Responsibility
• Separation of IT Duties from User Departments
Naturally, the extent of separation of duties depends
heavily on the size of the organization.
13. under SOX, what are public companies responsibilities in terms of internal
control

14. The items of the audit planning models.

AAR = IR X CR X PDR
PDR = AAR / IR X CR
AAR acceptable auditing risk
IR inherent risk
PDR Planned detection risk

15. what are the common methods of testing internal controls

Procedures for Tests of Controls
The auditor is likely to use four types of procedures to
support the operating effectiveness of internal controls:
1. Make inquiries of appropriate client personnel. Although
inquiry is not generally a strong source of evidence about
the effective operation of controls, it is an appropriate
form.
2. Examine documents, records, and reports. Many controls
leave a clear trail of documentary evidence.
3. Observe control-related activities. Some controls do not
leave an evidence trail, which means that it is not
possible to examine evidence that the control was

10-7
 executed at a later date. For example, separation of
duties relies on specific persons performing specific
tasks, and there is typically no documentation of the
separate performance.
4. Reperform client procedures.
16. What are the important documents that are used in the sales cycle

17. The difference between vouching and tracing

18. What are the effective procedures to examine audit objectives of occurrence and
completeness, what is the direction of each test
19. What is substantive test
20. The difference between public and private companies in terms of testing internal
control procedures

Questions and Exercises

1. When inherent risk is high, there will need to be:
a. more evidence accumulated.
b. more experienced staff assigned to the work.
c. either a or b, but not both.
d. both a and b.

2. Initial audit planning involves four matters. Which of the following is not one of these?
a. Develop an overall audit strategy.
b. Request that bank balances be confirmed.
c. Schedule engagement staff and audit specialists.
d. Identify the client’s reason for the audit.

3. A CPA firm may choose to not continue working with an audit client for which of the
following reasons?
a. Conflicts over past audits.
b. Disagreements regarding the type of opinion to issue.
c. Disagreements regarding audit fees.
d. All of the above.

4. Which of the following statements is true regarding communications between

predecessor and successor auditors?
a. The burden of initiating the communication rests with the predecessor.

10-8
b. The predecessor should attempt to respond fully and truthfully to the successor’s
inquiries.
c. The predecessor should communicate with the successor only if the client is
public.
d. There is no requirement that the predecessor and successor communicate.

5. An engagement letter sent to an audit client usually would not include a(n):
a. reference to the auditor’s responsibility for the detection of errors or irregularities.
b. estimation of the time to be spent on the audit work by audit staff and
management.
c. statement that management advisory services would be made available upon
request.
d. reference to management’s responsibility for the financial statements.

6. Discuss the factors an auditor should consider before accepting a company as an audit
client.

Answer:
The auditor should investigate and consider the prospective client’s standing in
the business community, financial stability, management’s integrity, and relations with its
bankers, attorneys, and previous CPA firm. The auditor should also determine whether he
or she possesses the required competence and independence to do the audit.

7. Define the term “related party” and discuss why an auditor should identify the client’s
related parties early in the audit.

Answer:
A related party is an affiliated company, principal owner of the client company, or
any other party with which the client deals where one of the parties can influence the
management or operating policies of the other. Auditors need to be aware of who the
client’s related parties are early in the audit to enable the auditor to identify related-party
transactions, especially those that have not been disclosed.

8. There are three main reasons why an auditor should properly plan audit engagements.
Discuss each of these reasons.

Answer:
Three reasons why an auditor should properly plan audit engagements are:

10-9
• To enable the auditor to obtain sufficient competent evidence for the
circumstances. This is essential for minimizing legal liability and maintaining a good
profession reputation.
• To help keep audit costs reasonable. Given the competitive auditing environment,
keeping costs reasonable helps the firm obtain and retain clients.
• To avoid misunderstandings with the client. This is important for good client
relations.

9. Discuss the required communications between predecessor and successor auditors as

outlined by SAS No. 84.

Answer:
Auditing standards require a successor auditor to communicate with the predecessor
auditor whenever accepting a client that has been previously audited. The purpose of the
communication is to help the successor auditor evaluate whether to accept the
engagement. While the burden of initiating the communication rests on the successor
auditor, the predecessor auditor must respond to the request for information. However,
because of the requirements related to confidentiality, the predecessor must obtain the
former client’s permission prior to providing information to the successor.

10. Discuss the four primary purposes of analytical procedures performed during the
planning phase of an audit.

Answer:
The four primary purposes of preliminary analytical procedures are:
• to help the auditor understand the client’s industry and business,
• to help the auditor assess the going concern assumption,
• to indicate areas of possible misstatements, and
• to reduce the extent of detailed tests.

11. Which of the following is responsible for establishing a private company’s internal
control?
a. Management.
b. Auditors.
c. Management and auditors.
d. Committee of Sponsoring Organizations.

10-10
12. Which of the following parties provides an assessment of the effectiveness of internal
control over financial reporting for public companies?
a. Management.
b. Financial statement auditors.
c. Management and the financial statement auditors.
d. Committee of Sponsoring Organizations.

13. When management is evaluating the design of internal control, management evaluates
whether the control can do all but which of the following?
a. Prevent material misstatements.
b. Detect material misstatements.
c. Correct material misstatements.
d. None of the above is correct.

14.
There are four steps in the auditor’s process of understanding internal control and
assessing control risk for a public company. Step one is obtain and document an
understanding of internal control: design and operation. What are the remaining three
steps?

Answer:
The remaining three steps are:
• Assess control risk.
• Design, perform, and evaluate tests of controls.
• Decide planned detection risk and substantive tests.
15.
During a financial statement audit of a private company, three steps must be completed
by the auditor before concluding that control risk is low. What are these steps?

Answer:
The three steps that must be completed by the auditor before concluding that control risk
is low are:
1. obtaining an understanding of the control environment, risk assessment
procedures, accounting information and communication system, and monitoring
methods at a fairly detailed level;
2. identify specific controls that will reduce control risk and make an assessment of
control risk; and
3. test the effectiveness of controls.

16.

10-11
The internal control framework developed by COSO includes five so-called
“components” of internal control. Discuss each of these five components.

Answer:
Five components of internal control are:
• The control environment. The control environment consists of the actions,
policies, and procedures that reflect the overall attitudes of top management about
control and its importance to the company.
• Risk assessment. This is management’s identification and analysis of risks
relevant to the preparation of financial statements in accordance with GAAP.
• Information and communication. This is the set of manual and/or computerized
procedures that identifies, assembles, classifies, analyzes, records, and reports a
company’s transactions and maintains accountability for the related assets.
• Control activities. These are the policies and procedures that help ensure
necessary actions are taken to address risks in the achievement of the company’s
objectives.
• Monitoring. This is management’s ongoing and periodic assessment of the quality
of internal control performance to determine that controls are operating as
intended and modified when needed.

17. Which of the following is not one of the five classes of transactions included in the
sales and collection cycle?
a. Sales returns and allowances
b. Charge-off of uncollectible accounts
c. Bad debt expense
d. Depreciation expense

10-12
d
18. Most companies recognize sales revenue when:
a. sales are invoiced.
b. customer orders are received.
c. goods are shipped.
d. customer orders are approved.

19. The credit-granting function should be separated from which of the following?
a. Purchasing function
b. Manufacturing function
c. Sales function
d. None of the above

20. Explain each of the following types of documents and indicate the class of
transactions in which they are commonly used.
1. Customer order
2. Shipping document
3. Remittance advice
4. Sales returns and allowance journal
5. Uncollectible account authorization form
Answer:
1. Customer order – request for merchandise by a customer. Appears in the Sales
class of transactions.
2. Shipping document – document prepared to initiate shipment of goods, indicating
the description of the merchandise, the quantity shipped, and other relevant data.
Appears in the Sales class of transactions.
3. Remittance advice – document that accompanies the sales invoice mailed to the
customer and can be returned to the seller with payment. Appears in the Cash
receipts class of transactions.
4. Sales returns and allowance journal – journal used to record all sales returns and
allowances, analogous to the sales journal. Appears in the Sales returns and
allowance class of transactions.
5. Uncollectible account authorization form – document used internally to indicate
authority to write off an account receivable. Appears in the charge off of
Uncollectible accounts class of transactions.

21. When testing the occurrence objective for sales, the auditor is concerned with the
possibility of three types of misstatements. One type is sales being included in the journal
for which no shipment was made. Discuss the other two types of misstatements.

Answer:

10-13
 The auditor is also concerned with the possibility of (1) shipments being made to
nonexistent customers and recorded as sales, and (2) sales being recorded more
than once.

22. Describe the three basic steps an auditor should follow when designing tests of
controls and substantive tests of transactions.

Answer:
The three basic steps in designing tests of controls and substantive tests of
transactions are:
• Determine key internal controls for each audit objective.
• Design tests of controls for each control used to support a reduced control risk.
• Design substantive tests of transactions to test for monetary misstatements for
each objective.

10-14