Term
| How does an auditor reduce audit risk to an acceptable level? |
|
Definition
| To reduce audit risk to an acceptable level, the auditor makes overall responses to the assessed RMM at the F/S level. |
|
|
Term
| What does the auditor do for audit risk at the relevant assertion level? |
|
Definition
| At the relevant assertion level, the auditor responds by designing and performing further audit procedures (tests of controls and substantive procedures). |
|
|
Term
| third standard of field work |
|
Definition
| Auditor must obtain sufficient appropriate audit evidence to for a reasonable basis for an opinion regarding the F/S under audit. |
|
|
Term
|
Definition
| risk of material misstatement; combination of inherent and control risks |
|
|
Term
| What does the auditor do for RMM at the relevant assertion level? |
|
Definition
| The auditor should identify risks and relevant controls while gaining an understanding of the entity and its IC, and considering the transactions, balances, and disclosures. |
|
|
Term
|
Definition
Risks should be related to the threats at the relevant assertion level.
The auditor should consider the magnitude of the risks and the likelihood of material misstatement.
As a basis for the risk assessment, the auditor uses audit evidence gathered from obtaining the understanding, including that from
Evaluating the design of controls and
Determining whether they have been implemented. |
|
|
Term
| What is the risk assessment is used for? |
|
Definition
to determine the nature, timing, and extent of further audit procedures
If the risk assessment is based on the expectation that controls are operating effectively at the relevant assertion level, the audit tests suitably designed controls. |
|
|
Term
|
Definition
The auditor determines whether the risks related to
Specific relevant assertions
The statements as a whole |
|
|
Term
| significance of risks at the statement level |
|
Definition
Risks at the statement level often indicate a weak control environment
Such a weakness may affect numerous relevant assertions, and the auditor may need to make an overall response |
|
|
Term
| Do all controls affect risks equally? |
|
Definition
| No. Some controls may specifically and directly affect an assertion. Others may reduce a risk only indirectly and in conjunction w/numerous other controls. |
|
|
Term
| significant risks. What makes inherent risks significant and how is it based? |
|
Definition
The auditor's professional judgment about significance is based on inherent risk prior to considering the effect of identified controls.
Judgment also based on
Nature, magnitude, and likelihood of risk and
Potential for pervasive effects. |
|
|
Term
| factors that increase the likelihood a risk will be significant |
|
Definition
Risk of fraud
Recent significant developments
Complex transaction
RPT
High degree of subjectivity or uncertainty in financial measure
Nonroutine (unusual and infrequent) transactions |
|
|
Term
| How do significant risks frequently arise? |
|
Definition
| From nonroutine transactions and judgmental matters that are less likely to be governed by routine controls. |
|
|
Term
| factors that increase the likelihood a nonroutine transaction will be significant |
|
Definition
Increased manual intervention for data processing
Increased management intervention to determine accounting practices
Difficult accounting principles
RPTs
Transactions for which implementing controls is difficult |
|
|
Term
| What makes RMMs related to significant judgmental matters greater? |
|
Definition
They involve accounting estimates resulting from:
Accounting principles subject to different interpretations
Subjective or complex judgments
Significant assumptions |
|
|
Term
| How does an auditor respond to a significant risk? |
|
Definition
| by performing substantive procedures in addition to evaluating the design of relevant controls and determining whether they have been implemented. |
|
|
Term
| insufficiency of substantive procedures |
|
Definition
Auditor may be unable to obtain sufficient appropriate audit evidence about relevant assertions by applying substantive procedures alone.
Tests of controls may be essential when routine transactions and the audit trail are both highly automated.
The assessment of RMMs at the relevant assertion level may need to be revised as more audit evidence is gathered. |
|
|
Term
| assessment of control risk (high or low) |
|
Definition
| control risk (and thus RMM) can be assessed at a lower level if controls are operating effectively. |
|
|
Term
| How can control risk be lowered? |
|
Definition
| If controls are operating effectively, the auditor performs tests of controls, and, based on the RMM, the auditor designs appropriate substantive tests to identify potential misstatements. |
|
|
Term
| overall responses apply to the assessed RMMs at the F/S level |
|
Definition
Emphasis on professional skepticism in evidence gathering and evaluation.
Increased supervision.
Assignment of staff w/greater experience or expertise
Greater unpredictability in the choice of further audit procedures
Performance of substantive procedures at the end of period |
|
|
Term
| strong and weak control env. |
|
Definition
An effective control environment increases the reliability of internally generated audit evidence.
Weaknesses in the CE lead to a response that may include
Seeking more evidence from substantive procedures
Obtaining more persuasive evidence.
Expanding the engagement's scope to audit more locations. |
|
|
Term
| substantive audit approach |
|
Definition
| based on substantive procedures |
|
|
Term
|
Definition
| applies tests of controls and substantive procedures |
|
|
Term
| most important factor in auditor's response to risk |
|
Definition
| nature of the procedures. |
|
|
Term
| design of further audit procedures should consider... |
|
Definition
Risk significance
Likelihood of a material misstatement
Characteristics of the transaction class, balance, or disclosure
Nature of the controls
Extent of the expectation of obtaining evidence of the effectiveness of controls |
|
|
Term
| basis for choosing audit approach |
|
Definition
|
|
Term
| Are controls a factor in the risk assessment? |
|
Definition
| The risk assessment procedures may not identify effective controls for the relevant assertion, or testing controls may be inefficient. The result is that controls are not a factor in the risk assessment. |
|
|
Term
| How do controls affect the audit approach? |
|
Definition
| If controls are not a factor in the risk assessment, then the audit will have to sufficiently lower detection risk under the substantive audit approach. |
|
|
Term
| When is the combine audit approach selected? |
|
Definition
| When the processing of routine transactions is highly automated with little manual intervention. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| substantive procedures or tests of controls |
|
|
Term
|
Definition
| inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedures |
|
|
Term
| choice of audit procedures depends on |
|
Definition
Relevant assertion
RMM (evidence must be more appropriate and reliable if RMM is higher)
Reasons for the assessment of the RMM |
|
|
Term
| reasons for the assessment of the RMM |
|
Definition
Auditor considers inherent risk of each transaction class, balance, or disclosure.
Auditor also considers whether the assessment reflects control risk.
A lower RMM, which means that controls are more effective, may justify using only substantive procedures.
Auditor tests the accuracy and completeness of information generated by the information system if it is used in applying procedures. |
|
|
Term
|
Definition
| greater likelihood that procedures will be performed at the end of the period or at unpredictable times. |
|
|
Term
| performing procedures before the end of the period should... |
|
Definition
| result in consideration of the additional evidence needed to address the remaining period. |
|
|
Term
| timing of procedures is based on considerations such as... (RANT) |
|
Definition
Relevant period or date
Availability of information
Nature of risk
The control environment |
|
|
Term
|
Definition
| quantity, such as the number of sampled items |
|
|
Term
auditor's judgment about extent is based on
(DAT) |
|
Definition
Desired level of assurance
Assessed RMM
Tolerable misstatement |
|
|
Term
| computer-assisted audit technologies (CAATs) |
|
Definition
| Use of CAATs may expand the extent of procedures. They may be applied to the whole population of relevant items, but sampling is often appropriate is statistically sound methods are employed. |
|
|
Term
| When do auditors test suitably designed controls at the relevant assertion level? |
|
Definition
The risk assessment is based on the expectation that controls are operating with some degree of effectiveness.
Substantive procedures are inadequate by themselves to obtain sufficient appropriate audit evidence. |
|
|
Term
| tests of controls are performed when... |
|
Definition
| detection risk is needed to be reduced to an acceptably low level b/c controls are ineffective |
|
|
Term
| Testing controls determines... |
|
Definition
| How controls were applied at relevant times, by whom and the consistency of their application. |
|
|
Term
| nature of test of controls (types) |
|
Definition
| inquiry, inspection, observation, and reperformance. |
|
|
Term
| Which provides more assurance: inquiry + reperformance or inquiry + observation? |
|
Definition
|
|
Term
| What affects the selection of an audit procedure? |
|
Definition
|
|
Term
| direct and indirect controls |
|
Definition
Ex of direct control: control group's review of an exception report.
general and application controls are indirect. |
|
|
Term
|
Definition
| meet the objectives of tests of details of transactions as well as tests of controls. |
|
|
Term
| Is nondetection of misstatements evidence of effectiveness? |
|
Definition
| No, but misstatements detected by substantive procedures may imply that controls are ineffective. |
|
|
Term
| timing of audit procedures depends on... |
|
Definition
| whether the objective is to test controls over PPE may be sufficient. |
|
|
Term
| When tests are conducted at an interim period,... and the auditor considers |
|
Definition
the auditor should determine procedures to be performed during the remaining period.
The auditor considers the following:
Assessed RMMs
Controls tested
The evidence about operating effectiveness
The duration of the remaining period
Any intended reduction of substantive procedures
The control environment
Significant changes in IC |
|
|
Term
| Should procedures should be performed to determine the relevance of audit evidence from prior audits? |
|
Definition
Yes. For example, the auditor should verify that changes in an effective control have not been made that impair its functioning.
Furthermore, the auditor may not rely on evidence from a prior audit about a control intended to reduce a significant risk. |
|
|
Term
| If the auditor plans to rely on controls that have not changed... |
|
Definition
| they should be tested at least once every third year, though some controls should be tested on an annual basis. |
|
|
Term
| In determining whether to rely on audit evidence from a prior audit, the auditor considers... |
|
Definition
The RMM and extent of reliance on the control
Other components of IC
IT general controls |
|
|
Term
|
Definition
| performed to detect material misstatements at the relevant assertion level. They should respond to the related assessed RMM and planned level of detection risk. |
|
|
Term
| In performing substantive procedures, the auditor should... |
|
Definition
Examine material entries and other adjustments made in statement preparation
Agree the statements to the accounting records |
|
|
Term
| In performing substantive procedures, the auditor should evaluate the qualitative aspects of the company's accounting practices, including... |
|
Definition
Selective correction of misstatements
Proposed adjusting entries that offset misstatements accumulated by the auditor
Basis in the selection of accounting principles or in accounting estimates |
|
|
Term
| What kinds of substantive procedures should be performed? |
|
Definition
| Those that respond specifically and with a high degree of reliability to significant risks. |
|
|
Term
| nature of substantive procedures |
|
Definition
| Include tests of details and substantive analytical procedures. |
|
|
Term
| Can analytical procedures alone suffice to reduce planned detection risk to an acceptable level? |
|
Definition
Yes, but substantive procedures alone cannot do this.
Assessed RMM may be reduced by tests of controls.
The best responses in other cases may be to perform tests of details only or a combination of the types of procedures. |
|
|
Term
|
Definition
| normally should be applied to certain assertions about balances (existence and valuation). |
|
|
Term
|
Definition
| most often applied to high-volume, relatively predictable transactions. |
|
|
Term
| existence or occurrence assertion |
|
Definition
| The auditor chooses items from an F/S amount for testing. |
|
|
Term
|
Definition
| The auditor seeks evidence that an item should be and is included in an F/S amount. |
|
|
Term
| risk of management override of controls |
|
Definition
| Pertinent because it may affect the relationship on which such procedures are based. Thus, analytical procedures may not detect certain frauds. |
|
|
Term
| The longer the remaining period after substantive procedures are performed... |
|
Definition
| the greater the detection risk resulting from performing procedures at an interim date. |
|
|
Term
| What does the auditor consider when performing substantive procedures? |
|
Definition
Relevant controls, including CE
Availability of information at the end of the remaining period
Procedure objectives
Assessed RMM
Nature transaction class or balance and relevant assertions
Ability to reduce detection risk resulting from performing interim-date procedures |
|
|
Term
| When RMMs are identified due to fraud... |
|
Definition
| The auditor may decide that substantive procedures should not be performed at an interim date. |
|
|
Term
|
Definition
| The auditor may compare interim-date and period-end amounts and perform analytical procedures for the remaining period to identify anomalies. |
|
|
Term
| What does the auditor consider when performing analytical procedures? |
|
Definition
The predictability of ending balances.
The entity's procedures for interim-date adjustments and accounting cutoffs.
Whether the information system will produce the information about balances and transactions necessary to an analytical investigation. |
|
|
Term
| Why aren't substantive procedures enough to reduce planned detection risk? |
|
Definition
| Such procedures provide little evidence usable in the current period. |
|
|
Term
|
Definition
| greater extent of relevant procedures |
|
|
Term
| measuring RMM and determining extent of procedures |
|
Definition
For tests of details, the extent is usually a function of sampling.
For analytical procedures, the auditor considers the acceptable variation from the expectation. This variation relates to the performance materiality and the desired assurance. |
|
|
Term
| documentation of audit procedures for assessing risk |
|
Definition
Overall responses
Nature, timing, and extent of further audit procedures and their connections to assessed risks of relevant assertions
Results of audit procedures
Conclusions about use of prior-audit evidence with respect to the operating effectiveness of controls. |
|
|
Term
| assessing risk in a computerized environment |
|
Definition
Objectives the same as in manual: RMM assessed to help determine nature, timing, and extent of substantive procedures and tests of controls.
Concept is same as in manual: After obtaining an understanding of the entity and its IC, the auditor decides whether to test and rely on controls or forgo such tests (whichever is more efficient).
Many procedures are the same. Numerous controls in a computer environment are outside the computer system and can be tested using procedures applicable to a manual system. |
|
|
Term
| conventional testing procedure for testing controls |
|
Definition
| first to assess the RMM relative to the CE (general controls). If the CE is ineffective, the auditor should not place reliance to individual controls (application controls). |
|
|
Term
| testing procedures (for computer or manual system for assessing risk) |
|
Definition
Inquiries of entity personnel
Inspection of documents, reports, and electronic files
Observation of the application of specific controls
Reperformance by the auditor |
|
|
Term
| auditing the organizational structure in the control env. |
|
Definition
The auditor inspects documentation and observes operations demonstrating that the IT function has no custody of assets or transaction authority and actually
Operating as a service department independently of users and
Reporting to senior-level management |
|
|
Term
| auditing the assignment of authority and responsibility in the control env. |
|
Definition
| The auditor inquires and observes whether IT employees are performing functions consistent with their assigned responsibilities (and have no incompatible responsibilities). |
|
|
Term
| auditing the information processing process |
|
Definition
The auditor does the following:
Observes the backup copies of files and programs to determine that they are safeguarded;
Inspects the written security policy concerning virus protection and observes the existence of available anti-virus software.
Inspects program acquisition and development requests for the proper authorization, assignment of responsibility for design and coding, testing, and acceptance; and
Inspects program documentation to determine whether it is complete and up-to-date. |
|
|
Term
|
Definition
The auditor tests access controls by:
Attempting to sign on to the computer system using various passwords and ID numbers,
Inspecting the system access log for completeness and appropriate use and follow-up (passwords consistent w/employees' responsibilities) and
Observing that disposal of sensitive documents and printouts is controlled so that unauthorized persons cannot gain information concerning passwords or ID numbers. |
|
|
Term
| auditing around the computer is not appropriate when... |
|
Definition
when systems are sophisticated or the major controls are included in the computer programs. It may be appropriate for very simple systems that produce appropriate printed outputs.
The auditor manually processes transactions and compares the results with the client's computer-processed results.
B/c only a small number of transactions can ordinarily be tested, the effectiveness of the tests of controls must be questioned.
The computer is treated as a black box, and only inputs and outputs are evaluated. |
|
|
Term
| auditing through the computer |
|
Definition
| uses the computer to test the processing logic and controls w/in the systems and the records produced. |
|
|
Term
| How is auditing through the computer (ATTC) accomplished? |
|
Definition
Processing test data
Parallel simulation
Creation of an integrated test facility
Programming embedded audit modules |
|
|
Term
| test data approach for ATTC |
|
Definition
| Auditor prepares a set of dummy transactions specifically designed to test the control activities that management claims to have incorporated into the processing programs. The auditor can expect the controls to be applied to the transactions in the prescribed manner. Thus, the auditor is testing the effectiveness of the controls. |
|
|
Term
| advantage of test data approach |
|
Definition
| directly tests the controls. |
|
|
Term
| disadvantage of test data approach |
|
Definition
| tests processing at only one moment in time. That is, the auditor does not have assurance that the program tested is the one used throughout the year to process client transactions. |
|
|
Term
|
Definition
uses a controlled program to reprocess sets of client transactions and compares the auditor-achieved results with those of the client.
The key is for the auditor's program to include the client's edit checks. Thus, the client's results of processing, rejected transactions, and error listing should be the same as the auditor's. |
|
|
Term
| advantage of parallel simulation |
|
Definition
| transactions from throughout the period may be reprocessed. The results can then be compared with the client's results to provide assurance that the edit checks (controls) have been applied during the period. |
|
|
Term
| disadvantage of parallel simulation |
|
Definition
| cost of obtaining the program and coordination effort required to obtain transactions to reprocess |
|
|
Term
| integrated test facility (ITF) method |
|
Definition
| auditor creates a dummy record w/in client's actual system. Dummy and actual transactions are processed. The auditor can test the edit checks by altering the dummy transactions and evaluating error listings. |
|
|
Term
| advantage of integrated test facility |
|
Definition
| tests actual program in question |
|
|
Term
| disadvantage of integrated test facility |
|
Definition
| requires considerable coordination and the dummy transactions must be purged prior to internal and external reporting. Not used extensively be external auditors. |
|
|
Term
|
Definition
| integral part of application system that is designed to identify and report actual transactions and other information that meet criteria having audit significance |
|
|
Term
|
Definition
| permits continuous monitoring of online, real-time systems. |
|
|
Term
|
Definition
| audit hooks must be programmed into the OS and applications programs to permit the use of audit modules |
|
|
Term
| What is the auditor's controlled program for parallel simulation? |
|
Definition
| The auditor's controlled program may be a copy of the client's program that has been tested. An expensive alternative is for the auditor to write a program tat includes management's controls. Also, a program may be created from generalized audit software. |
|
|
Term
| Upon completion of the tests of computer controls, the auditor... |
|
Definition
| assesses computer control risk and relates it to specific F/S assertions. This risk assessment is a primary factor in determining the appropriate substantive procedures. |
|
|
